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the  QWEST  SOLUTION:  The  more  workers  you  have  on  the  road,  the  greater  the 
risk  of  hijacked  data.  Qwest’s  suite  of  security  solutions  can  help  make  sure  your  critical 
information  is  accessible  to  those  who  need  it,  while  protecting  it  from  those  who  don’t. 
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FROM  THE  EDITOR  JOHN  DIX 


6  Bits  Comments, 
Blogs  and  Online 


The  White  House  plan 
to  safeguard  cyberspace 

The  plan  to  “reduce  cybersecurity  vulner¬ 
abilities  and  improve  online  privacy  protections” 
floated  in  June  by  Howard  Schmidt,  the  Cybersecu¬ 
rity  Coordinator  and  Special 
Assistant  to  the  President,  is 
comprehensive  and  an  impor¬ 
tant  step  in  the  right  direction. 

To  its  credit,  the  administration  released  the  National 
Strategy  for  Trusted  Identities  in  Cyberspace  (NSTIC) 
as  a  draft  (tinyurl.com/24daffh,  comments  due  by 
Julyl9),  realizing  that  something  this  big  and  complex 
needs  input. 

The  basic  idea  is  to  ensure  online  commerce  continues 
to  flourish  by  using  trusted  digital  identities  and  authentication  to  address  core 
security  issues.  The  government  will  be  the  “primary  enabler,  first  adopter  and  key 
supporter”  of  what  it  calls  an  Identity  Ecosystem,  but  consumers  would  be  able  to 
use  the  resultant  tools  to  safeguard  everything  from  online  banking  and  shopping 
to  accessing  health  records. 

Instead  of  issuing  its  own  “Internet  license”,  the  government  wants  identity 
service  providers  to  come  out  with  or  make  existing  credentials  interoperable 
so  consumers  have  a  choice  when  it  comes  to  suppliers  and  can  count  on  the  fact 
that  other  merchants  in  the  ecosystem  will  accept  those  credentials.  Ideally,  for 
example,  I  would  be  able  to  use  my  Bank  of  America  SafePass  card  —  which  gener¬ 
ates  a  number  used  as  a  second  factor  when  I  log  onto  the  bank’s  site—  to  complete 
a  transaction  with  a  Web  store. 

As  some  have  pointed  out,  there  is  little  discussion  in  the  proposal  about  how  we 
would  ensure  the  person  applying  for  a  credential  is  who  they  say  they  are.  If  you 
can  game  the  system  from  the  get-go  that  could  be  even  more  dangerous  than  the 
problems  we  face  today.  That  said,  use  of  existing  credentials  would  help  circum¬ 
vent  that  concern.  My  bank  knows  who  I  am. 

Others  have  taken  issue  with  the  idea  of  centralizing  identities,  saying  that’s 
putting  all  our  eggs  in  one  basket.  Having  multiple  identities  is  inherently  more 
secure,  they  argue.  Perhaps,  but  that’s  what  we  have  today  and  we  still  have  these 
problems,  so  that  argument  doesn’t  seem  to  hold  water.  Then  there  is  the  whole  big 
brother  thing,  the  fear  of  the  government  logging  our  activities.  Here  again,  the  fact 
that  this  is  government  sanctioned  vs.  government  issued,  should  help. 

The  point  is  that  the  proposal  isn’t  fully  baked,  nor  does  it  pretend  to  be.  It  will 
be  interesting  to  see  what  comes  out  of  this  review  period  and  see  how  the  plan 
morphs.  The  authors  also  recognize  that  trusted  digital  identities  address  only  one 
part  of  the  layered  security  needed,  but  count  us  among  those  that  think  this  is  a 
good  first  step. 
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Too  soon  to  pin  down  the  cloud 

©  FIRST,  WHY  WOULD  I  care  whether  I 
get  the  entire  stack  from  one  provider,  if 
I  am  looking  for  an  open  cloud  platform, 
which  I  can  extend  or  reconfigure  using 
components  from  various  providers? 

(Re:  Only  Microsoft  and  Red  Hat  have  all 
the  pieces  to  build  clouds,  Red  Hat  says; 
tinyurl.com/37b9s7r.) 

Which  brings  me  to  “too  early”  —  sec¬ 
ond  issue:  clouds  are  not  yet  standard¬ 
ized.  There’s  no  simple  and  easy  way  to 
migrate  an  app  from  EC2  to  app  engine. 
It’s  risky  to  invest  into  cloud  apps  right 
now.  Give  it  some  time,  push  for  standard¬ 
ization,  then,  when  standards-compliant 
service  providers  start  operating  large 
public  clouds,  carefully  start  deploying 
apps  conforming  to  standards.  Wait 
some  more  years  until  security  issues  are 
ironed  out,  and  only  then  fully  embrace 
the  cloud  paradigm. 

Third,  I’m  not  fully  convinced  that  the 
cloud  is  the  proper  solution  to  all  net¬ 
worked  apps.  There’ll 
always  be  Photoshop 
or  mathlab  or  other 
apps  that  are  unrea¬ 
sonably  run  remotely. 

There’ll  always  be 
apps  manipulating 
data  that  is  sensitive 
that  you  won’t  want  it 
to  travel  over  public 
networks,  let  alone  be 
stored  in  a  publicly 
available  cloud. 

Therefore,  I  don’t 
think  the  desktop  or 
the  dedicated  server 
will  die  any  time  soon  or  not  so  soon. 

Fourth,  to  downplay  what  Spring- 
Source  does  (some  very  neat  app  servers, 
among  other  things,  plus  most  compo¬ 
nents  to  set  up  a  really  programmer- 
friendly  cloud),  is  stupid.  The  framework 
they  created  is  an  essential  piece  of  work 
to  make  enterprise  Web  apps  palat¬ 
able.  Working  without  spring  core  feels 
like  wading  through  knee-deep  mud. 
Programmer  time  is  still  one  of  the  most 
expensive  resources  in  the  industry. 

Anon 

Cisco  standard:  Innovation 
or  monopoly? 

©  IF  THE  STANDARD  only  operates  on 
Cisco  gear  then  how  is  that  a  standard? 


Standards  become  useful  only  if  most 
vendors  support  them.  Sure,  Cisco  can 
develop  whatever  it  wants  and  can  do 
this  to  meet  the  needs  of  the  customer 
base  that  it  wants  to  sell  to.  (Re:  Cisco 
wants  to  be  the  standard;  tinyurl. 
com/34fc78b.) 

If  you  are  a  bleeding-edge  customer 
and  you  want  or  require  the  features  and 
functions  from  a  pre-standard  offering, 
then  you  purchase  it  and  live  with  the 
possibility  that  it  may  be  proprietary 
and  only  operate  with  that  vendor’s  gear. 
While  it  is  true  that  Cisco  has  substantial 
market  share  in  many  sectors,  and  they 
can  heavily  influence  things,  I  find  it  hard 
to  believe  that  the  standards  bodies  will 
just  roll  over  and  accept  whatever  Cisco 
puts  on  the  table.  This  is  why  companies 
use  rhetoric  like  “pre-standard”,  because 
they  know  that  there  may  be  modifica¬ 
tions.  The  real  issue  that  people  need  to  be 
aware  of  is  whether  the  modifications  to 
meet  the  eventual  standard  are  just  soft¬ 
ware  tweaks  that  can 
easily  be  hidden  in 
maintenance  releases, 
or  they  require  hard¬ 
ware  updates  that 
often  can  be  expen¬ 
sive  in  purchase  cost 
and  upgrade  time  and 
effort. 

Anon 

©SOMEONE  HAS 

TO  do  the  running, 
and  Cisco  has  a  track 
record  of  bringing 
innovation  to  networking  as  a  whole, 
with  a  large  part  of  that  becoming  part  of 
or  the  basis  of  a  standard. 

If  not  Cisco  then  who  would  carry  that 
banner  —  and  if  another  did  why  would 
they  be  loved  any  more  than  Cisco? 

In  my  view  Cisco  is  not  perfect,  but 
they  are  good  at  producing  a  product 
that  you  can  depend  on,  with  support 
and  training  to  match.  Those  who  talk 
of  a  premium  should  look  carefully  at 
the  support  they  get  from  other  vendors 
outside  of  standard  operating  hours,  and 
the  time  to  replace  a  failed  kit.  When 
it  comes  down  to  it  you  get  what  you 
pay  for  —  and  I  prefer  to  pay  for  100% 
uptime,  not  gamble  on  it. 

Anon 
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Freedom  of  choice...ensuring  the  cloud  works  for  you. 


For  more  info  see  force10networks.com 
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Google  on  buying  binge 

NO  LONGER  CONTENT  to  watch  Microsoft,  Cisco  and  IBM 
dominate  the  technology  M&A  marketplace,  Google  has  spent 
the  first  half  of  the  year  snapping  up  more  venture-based  start¬ 
ups  than  any  other  company.  As  July  began,  Google  announced 
its  intention  to  acquire  ITA  software,  a  maker  of  air  travel  flight 
information  technology,  continuing  a  blistering  pace  that  has 
seen  the  company  purchase  about  20  companies  in  the  past 
12  months.  As  Google  steps  up  competition  against  Microsoft 
and  Apple,  it  is  increasingly  purchasing  technology  and  key 
talent  from  start-ups,  rather  than  developing  it  in-house,  says 
Scott  Austin,  the  editor  of  Dow  Jones  VentureWire.  "They  have 
a  lot  more  competitors,  and  they  need  to  stay  acquisitive  to 
compete,"  he  says,  tinyurl.com/3yv6trr 
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White  House 
neglecting 
cybersecurity 
R&D:  report 

GOVERNMENT  RESEARCH 

and  development  aimed  at 
bolstering  cybersecurity  is  not 
getting  the  attention  it  requires 
from  the  White  House  Office 
of  Science  and  Technology 
Policy  (OSTP),  according  to  a 
35- page  report  by  the  Govern¬ 
ment  Accountability  Office. 
The  OSTP  was  first  tasked 


with  creating  such  an  R&D 
strategy  in  2003.  Over  the 
years,  the  OSTP  has  taken 
“initial  steps  toward  develop¬ 
ing  such  an  agenda,”  the  GAO 
report  said.  However,  “one 
does  not  currently  exist”  even 
today,  the  report  said,  tinyurl. 
com/3ac24q3 

400  iTunes 
customers  singing 
fraud  blues 

APPLE  HAS  banned  a  developer 
from  its  App  Store  after  fraudu¬ 
lent  purchases  of  his  applica¬ 
tions  were  made  from  around 
400  accounts.  Thuat  Nguyen 
and  his  apps,  which  at  one  point 
reportedly  occupied  42  of  the  top 
50  positions  in  the  book  sales 
chart,  was  “removed  from  the 
App  Store  for  violating  the  devel¬ 
oper  Program  License  Agree¬ 
ment,”  Apple’s  Trudy  Muller 
said.  “The  iTunes  servers  were 


amazon 


not  compro¬ 
mised.”  Apple  advised  users 
who  suspected  fraudulent 
purchases  were  made  to  contact 
their  bank  and  cancel  the  credit 
card  in  question.  Apple  also 
said  users  should  change  their 
iTunes  password,  tinyurl. 
com/3y9736v 

Amazon.com. 

groceries? 

AMAZON.COM  HAS  launched 
a  grocery  delivery  service  in 
the  U.K.,  following  the  recent 
kickoff  of  a  similar  service  in 
Germany.  The  online  retailer 
said  it  has  22,000  product  lines 
ranging  from  cleaning  products 
to  fresh  fruit  to  beer  and  pet  food. 
Items  that  Amazon  directly  ful¬ 
fills  will  be  delivered  in  the  mail. 
Customers  have  two  options  for 
delivery.  For  an  annual  $73.50 
fee,  customers  can  subscribe  to 
Amazon’s  Prime  membership, 
where  an  unlimited  number 
of  items  can  be  delivered  free. 
Another  option  is  Free  Super 
Saver  delivery,  which  takes 
between  three  to  five  days  after 
items  are  dispatched. ...  Maybe 
not  the  best  option  for  seafood. 
tinyurl.com/34eg9rj 

He'sbaaaack: 
Ballmer  to 
headline  CES 

RUMORS  ABOUT  Microsoft 
CEO  Steve  Ballmer  speaking  at 
Apple’s  Worldwide  Develop¬ 
ers  Conference  turned 
out  to  be  fiction, 
but  Ballmer 
will  deliver  a 
keynote  at  the 
mammoth 
CES  show 
in  Janu¬ 
ary.  The 
Consumer 
Electronics 
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Association  announced  last 
week  that  Ballmer  will  give 
the  preshow  keynote  address 
on  Jan.  5  in  Las  Vegas,  just  as 
he  did  earlier  this  year.  At  the 
2010  CES,  Ballmer  showed 
off  a  few  Windows  7  slate  PCs, 
including  one  made  by  HP.  HP 
ultimately  dropped  Windows 
7  from  its  Slate  tablet,  however, 
so  Ballmer  will  hope  to  make  a 
product  announcement  with 
a  little  more  staying  power  at 
next  year’s  CES.  In  past  years, 
Microsoft  has  also  used  the  CES 
stage  to  announce  the  Xbox 
and  Windows  Vista,  tinyurl. 
com/2vxvdsj 

Chipper  outlook 
for  chips,  says  IDC 

AFTER  SEEING  chip  sales 
decline  in  2009,  the  semicon¬ 
ductor  industry’s  fortunes 
are  looking  brighter  in 
coming  years,  accord¬ 
ing  to  IDC.  Worldwide 
chip  sales  slipped 
9%in  2009,  to  $225 
billion,  but  demand 
is  stronger  now 
and  chip  sales  are 
expected  to  grow 
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Are  you  a  snoop? 


IN  A  survey  of  IT  profes¬ 
sionals,  67%  admitted 
having  accessed  informa¬ 
tion  that  was  not  relevant  to 


Trade  group 
warns  of 'Net 
tax  bill 

THIS  ISSUE  has  been  around 
as  long  as  the  Internet.  A  new 
bill  before  Congress  that  would 
require  Internet  sellers  in  many 
states  to  collect  sales  tax  would 
hurt  small  businesses  online,  a 
tech  trade  group  said  last  week. 
The  Main  Street  Fairness  Act, 
introduced  recently  by  Rep.  Bill 
Delahunt,  D-Mass.,  would  allow 
states  to  force  online  sellers  to 
collect  sales  tax,  even  if  the  seller 
has  no  physical  presence  in  the 
state.  Under  current  U.S.  rules, 
Web  sites  must  charge  a  tax  on 
sales  only  when  the  customer 
is  in  a  state  where  the  seller  has 
a  physical  presence.  “Given  the 
current  economy,  it  would  be 
unfair  and  unwise  to  burden 
online  vendors  with  the  task  of 
sorting  through  the  policies  of 
thousands  of  taxing  authorities 


around  the  country,  and  serving 
as  revenue  collection  agencies  for 
each  of  them,”  said  the  Computer 
and  Communications  Industry 
Association  (CCIA).  tinyurl. 
com/3y7yw6a 

Nokia  asks  Russia 
for  help;  Apple 
can  relate 


NOKIA  HAS  asked  Russian 
authorities  to  help  retrieve  what 
it  says  is  an  unauthorized  model 
of  a  future  phone  that  a  blogger 
wrote  about  and  photographed 
on  a  phone  review  site.  (No  word 
if  Steve  Jobs  was  advising  the 
company  or  not.)  Last  week, 
Nokia  wrote  in  a  blog  post  that 
it  had  asked  Russian  authorities 
for  help  with  the  return  of  Nokia 
property  in  the  possession  of 
Eldar  Murtazin,  a  blogger.  In 
April,  Murtazin 
wrote  a  brief  blog 
post,  in  Russian,  on 
the  Mobile  Review 
site  that  included 
photos  of  the  N8. 
The  N8,  which  will 
be  the  first  phone 
to  run  the  first 


Security  freebies 


their  role,  and  41%  admit¬ 
ted  abusing  administrative 
passwords  to  snoop  on  sensitive 
or  confidential  information.  The 
survey  was  conducted  by  security 
firm  Cyber-Ark  Software,  which 
earlier  this  spring  asked  400  IT  professionals  from 
the  United  States  and  the  United  Kingdom  ques¬ 
tions  about  snooping.  About  245  IT  professionals 
answered:  “Have  you  evei  accessed  information  on  a 
system  that  was  not  relevant  to  your  role?”  and  “Have 
you  or  any  of  your  colleagues  used  the  admin  pass¬ 
word  to  get  at  information  that  is  otherwise  confiden¬ 
tial  or  sensitive?" 


ACCORDING  TO  a  new  study,  lots  of  people  are  using 
free  security  software.  Opswat,  which  sells  a  develop¬ 
ment  toolkit  used  to  manage  third-party  security 
apps,  concluded  in  its  study  that  despite  high 
brand  awareness  for  companies  such  as 
Symantec  and  McAfee,  their  security  software 
does  not  necessarily  dominate  the  market  in 
terms  of  installations.  Forty-two  percent  of  the 
market  is  composed  of  free  products,  according 
to  the  report,  which  focused  on  endpoint  security 
software.  Opswat  gathered  the  data  from  Windows 
users  running  AppRemover,  an  application  designed 
to  completely  uninstall  security  applications,  and 
Am  I  Oesis  OK?,  which  can  detect  whether  security 
applications  are  compatible  with  other  third-party 
applications. 


at  a  compound  annual  rate  of 
8.8%  through  2014,  the  research 
firm  said.  “Order  rates  are  now 
normalizing  after  very  exuber¬ 
ant  rates  in  the  fourth  quarter 
of 2009  and  the  first  quarter 
of  2010,”  IDC  said.  Worldwide 
sales  will  hit  $274  billion  in 
2010  —  an  increase  of  22%  over 
the  previous  year  —  and  grow 
to  $344  billion  in  2014,  the  firm 
said,  tinyurl.com/32v8efj 


60  GHz  and 
WiGig  explained 

Farpoint  Group  Principal 
Craig  Mathias  discusses 
the  60  GHz  wireless  spec¬ 
trum  and  how  it  will  open 
up  new  speeds  for  wireless 
transmission. 
tinyurl.com/39dw7q2 


AT&T  points  the  finger 


HEAVY  DEMAND  for  upload  capacity  from  the 
iPhone  4  has  exposed  a  flaw  in  the  software 
for  Alcatel-Lucent’s  3G  network  equipment, 
temporarily  forcing  lower  upstream  speeds 
for  some  AT&T  subscribers.  Alcatel  is  working 
on  fixing  the  bug  and  expected  last  week  to  know 
soon  when  it  will  be  fixed,  according  to  a  company 
spokeswoman.  The  flaw  did  not  cause  problems  until 
the  introduction  of  the  iPhone  4,  which  comes  with 
features  such  as  high-definition  video  that  can  require 
a  fast  connection  from  the  phone  up  to  the  network, 
she  said.  Downstream  performance  is  not  affected. 
Because  the  problem  only  exists  in  areas  where  AT&T 
uses  Alcatel  equipment,  it  affects  only  about  2%  of 
the  carrier’s  mobile  subscribers,  said  AT&T  spokes¬ 
man  Mark  Siegel. 


open-source  ver¬ 
sion  of  Symbian, 
isn’t  yet  available. 
Nokia  says  that  it 
formally  requested 
the  return  of  the 
phone  from  Mur¬ 
tazin  but  got  no 
response,  tinyurl. 
com/39bdz6x 
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you’ll  have  one  number,  one  voicemail  and  one  easy  way 
to  control  mobile  usage.  Simplify  the  way  your  company 
stays  in  touch.  Make  it  easier  for  clients  to  reach  you. 
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happier  clients.  Start  closing.  1-866-653-1056 
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Cloud  computing  providers  working  in  secret 


BYELLENMESSMER 

DESPITE  HOW  attractive  cloud  comput¬ 
ing  can  sound  as  an  outsourcing  option, 
there’s  widespread  concern  that  it  presents 
a  security  and  legal  minefield  for  businesses 
and  government.  Cloud  service  providers 
often  cultivate  an  aura  of  secrecy  about  data 
centers  and  operations,  claiming  this  stance 
improves  their  security  even  if  it  leaves 
everyone  else  in  the  dark. 

Businesses  and  industry  analysts  are 
getting  fed  up  with  this  cloud  computing 
version  of  “don’t  ask,  don’t  tell,”  where  non¬ 
disclosure  agreements  (NDA)  dominate, 
questions  aren’t  answered,  and  data  cen¬ 
ter  locations  and  practices  are  treated  like 
national  security  secrets.  But  public  cloud 
service  providers  argue  their  penchant  for 
secrecy  is  appropriate  for  the  cloud  model 
—  and  at  any  rate,  everyone’s  doing  it.  They 
often  hold  out  their  SAS-70  audit  certifica¬ 
tions  to  appease  any  worry  (though  some 
don’t  have  even  that). 

“The  business  data  you  store  in  Google’s 
cloud  is  safe,”  said  Google  product  marketing 
manager  Adam  Swidler  at  the  recent  Gartner 
security  conference  held  in  National  Harbor, 
Md.  He  emphasized  that  Google’s  multi-tenant 
distributed  model  entails  “splicing  data  across 
many  hard  drives”  so  that  in  this  “hardened 
Linux  stack”  there’s  a  “quick  update  of  all  frag¬ 
ments  of  all  files  in  the  hard  drives,”  a  process 
he  called  “obfuscated  files.” 

Swidler  acknowledged  there  has  been 
some  secrecy  about  where  things  are  located 
because  “we  think  it’s  a  security  risk.”  None¬ 
theless,  “Google  is  trying  to  open  up  a  little 
transparency  in  what  we  do,”  he  said. 

Currently,  the  information  Google  will 
disclose  publicly  or  even  under  NDA  won’t 
satisfy  everyone,  Swidler  acknowledged. 
“It’s  not  enough  for  everybody.  Some  people 
do  want  to  go  deeper.” 

The  location  of  data  centers  is  a  big  issue 
in  contract  negotiations,  where  legislative 
and  judicial  issues  abound.  For  instance,  the 
location  of  data  is  an  issue  under  some  data- 
privacy  laws,  such  as  those  from  the  Euro¬ 
pean  Union.  But  while  customers  often  care 
about  where  their  data  is  physically  located, 
Google  “believes  this  notion  of  where  is  data 
physically  located  is  a  bit  antiquated,”  Swi¬ 
dler  said. 

Many  disagree,  however.  Customers  want 
to  know  where  a  cloud  provider’s  data  cen¬ 
ter  is,  says  Kurt  Jackson,  managing  director 
in  a  Pitney  Bowes  Insight  division  called 
OnDemand  that  offers  software-as-a-service 


applications,  such  as  maps  for  city  services, 
to  business  and  government  customers. 

The  willingness  of  cloud  provider  Ter- 
remark  to  allow  site  visits  and  to  discuss 
details  about  its  data  centers  and  its  physi¬ 
cal  and  network  security  was  critical  in  the 
decision  to  use  Terremark,  Jackson  says.  “If 
you’re  running  in  Miami,  you  know  you’re  in 
Miami,”  he  says.  “Some  other  providers  just 
aren’t  as  transparent.” 

The  argument  over  transparency  vs. 
secrecy  in  cloud  computing  is  leading  to  a 
culture  clash  between  the  more  traditional 
ways  of  handling  data  outsourcing  and  the 
newer  cloud-computing  utility  methods  and 
mindset. 

Gartner  analyst  John  Pescatore  says  it’s 
simply  not  possible  to  know  whether  Google’s 
technique  of  “hiding  the  data  in  a  million 
places”  is  good  security  or  not  since  there’s 
no  way  to  evaluate  it.  Speaking  at  the  Gartner 
security  conference,  he  said  SAS-70  certifica¬ 
tion  of  any  public  cloud  provider  may  be  con¬ 
sidered  adequate  for  some  customers,  and  not 
others.  “SAS-70  is  pretty  meaningless  from  a 
security  level,  but  it  makes  auditors  happy.” 

Organizations  with  certain  kinds  of 
sensitive  data  are  simply  unlikely  to  find 


public  cloud  computing  a  right  fit  until  the 
day  comes  when  they  can  be  sure  their  favor¬ 
ite  security  mechanisms  are  running  in  their 
cloud  environment,  Pescatore  said. 

Cloud  computing  challenges  traditional 
notions  about  auditing  and  security,  and 
it’s  possible  a  new  way  of  auditing  needs  to 
evolve. 

“If  your  service  provider  won’t  give  you 
information  about  security  processes  and 
plans  in  order  to  do  what’s  necessary,  you 
shouldn’t  trust  that  provider,”  says  Andreas 
Antonopoulos,  an  analyst  with  Nemertes 
Research. 

The  old  idea  of  “security  by  obscurity,” 
which  suggests  you  can  defend  your  secu¬ 
rity  position  best  by  keeping  mum  about 
everything,  is  misguided,  he  says.  “It  doesn’t 
work.  There’s  always  someone  who  knows,” 
Antonopoulos  says.  If  you  hear  someone  try 
to  get  your  business  by  uttering  that  phrase, 
“run  far  and  fast.” 

Analyzing  the  fine  print 

Legal  experts  took  notice  when  the  city  of 
Los  Angeles  posted  its  contract  with  Google 
related  to  the  city’s  migration  to  Google 
e-mail  and  collaboration  services  with  the 


Census  Bureau  counting 
heads  in  the  cloud 


BY  CAROLYN  DUFFY M ARSAN 

THE  U.S.  Census  Bureau  is 
singing  the  praises  of  cloud 
computing. 

Census  is  taking  advantage  of 
several  cloud-based  computing 
services  —  from  content  delivery 
networks  to  hosted  applications 
to  free  Web-based  services—  for 
its  decennial  survey. 

Census  CIO  Brian  McGrath 
says  the  bureau  has  had  a  great 
experience  buying  software  and 
infrastructure  as  a  service,  and  that  this 
approach  has  been  an  efficient  and  cost- 
effective  way  to  meet  the  peak  processing 
demands  from  the  2010  Census. 

“We  use  the  cloud  in  eight  specific  instances 
around  the  decennial  survey,”  McGrath  says. 
“That  provided  a  huge  benefit  for  us  because 
we  didn’t  have  to  stand  up  an  infrastructure. 


We  knew  our  requirements  were 
for  a  definite  period  of  time.” 

The  Census  Bureau’s  positive 
experience  with  cloud  comput¬ 
ing  comes  at  a  time  when  U.S. 
government  agencies  are  being 
encouraged  by  Federal  CIO 
Vivek  Kundra  to  embrace  cloud 
computing  as  a  way  of  saving  tax¬ 
payer  dollars.  Supporting  Kun- 
dra’s  position,  a  recent  Brook¬ 
ings  Institute  survey  estimated 
that  government  agencies  can 
save  25%  to  50%  by  using  cloud- 
based  computing  services  instead  of  internal 
IT  resources. 

Industry  observers  say  many  agencies 
are  interested  in  building  their  own  private 
clouds. 

“Fear  of  information  being  made  available 
over  the  public  Internet  is  keeping  federal 

►  See  Census,  page  12 
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help  of  IT  services  firm  CSC. 

David  Navetta,  an  attorney  at  Information 
Law  Group,  recently  completed  an  analysis 
of  the  lengthy  contracts  with  Google  and  CSC 
to  determine  how  each  side  fared  in  defining 
responsibilities  related  to  a  potential  data 
breach  and  indemnification  of  damages. 

He  note  Google  is  defined  in  the  arrange¬ 
ment  as  a  CSC  “subcontractor,”  and  “there¬ 
fore,  as  respects  indemnification  for  a  breach 
of  confidentiality  obligations  or  for  lost  City 
Data,  CSC  would  be  responsible  to  pay  for 
Google’s  act  or  error.”  However,  he  thinks  the 
term  “lost  data”  should  have  been  defined 
more  clearly  in  the  contracts. 

Speaking  in  general  about  the  job  of  eval¬ 
uating  and  approving  cloud  services  con¬ 
tracts,  Navetta  says  it’s  common  to  encounter 
a  rushed  environment  where  cloud  service 
providers  insist  they  don’t  have  time  to  dis¬ 
cuss  details  and  don’t  want  to  make  changes. 

“The  usual  line  is  ‘we  can’t  do  this  one 
change  for  one  customer,”’  Navetta  says.  Secu¬ 
rity  and  legal  are  typically  “on  the  same  side 
of  the  aisle,”  while  the  IT  department  wants 
to  get  something  done  quickly  to  save  money. 
He  says  cloud  providers  often  don’t  want  to 
“let  people  truly  look  under  the  hood”  and 
using  them  “constitutes  a  trade-off  because 
you’re  losing  control.”  Not  surprisingly,  large 
companies  and  government  agencies  can  be 
expected  to  obtain  more  concessions  from 


cloud-service  providers. 

But  not  all  organizations  have  found  they 
fret  over  contracts. 

Lincoln  Cannon,  director  of  Web  systems  at 
Merit  Medical  Systems,  says  the  manufacturer 
has  taken  a  few  steps  into  cloud  computing 
with  Google  Apps  and  Telania’s  eLeap  for  sales 
training,  as  well  as  Amazon  for  development 
work  related  to  a  new  corporate  Web  site. 

The  providers’  boilerplate  legal  agree¬ 
ments  were  given  to  the  legal  department, 
which  redlined  them  and  went  back  and  forth 
until  both  partners  were  satisfied,  Cannon 
says.  “The  legal  team  was  perfectly  happy 
with  Google  Apps,”  he  says.  The  most  con¬ 
cern  over  cloud  computing  probably  came 
from  the  CIO  because  of  his  data-protection 
responsibilities  related  to  Sarbanes-Oxley 
regulations,  Cannon  says. 

Not  all  cloud  service  providers  harp  on 
secrecy,  either. 

Cloud  infrastructure  services  provider 
ReliaCloud  has  two  data  centers  in  the  Min¬ 
neapolis/St.  Paul  area,  and  has  about  100 
cloud  customers  using  its  new  VMware- 
based  environment  built  on  a  management 
platform  designed  by  Cloud.com,  says  CTO 
Jason  Baker. 

However,  most  of  the 
hosting  provider’s  5,000 
customers  continue  to 
use  the  more  traditional 


method  the  firm  offers  that  entails  use  of 
dedicated  servers  in  cages,  Baker  says.  The 
idea  of  cloud  computing  is  still  very  new  and 
customers  are  trying  to  understand  what’s 
different.  But  Baker  says  he’s  convinced  a 
shared-tenant  virtual-machine-based  cloud 
service  carries  some  inherent  security  attri¬ 
butes  in  terms  of  high  availability  that  can’t 
be  matched  by  dedicated  servers. 

“It’s  more  reliable,”  he  says.  “If  your  appli¬ 
cation  is  running  on  one  physical  box,  the 
customer  would  experience  downtime.  But 
in  a  cloud,  we  have  a  pool  of  virtual  machines, 
and  if  one  physical  node  goes  down,  we  would 
automatically  start  somewhere  else  in  the 
cloud.”  In  addition,  he  says,  use  of  some  APIs 
in  the  future  could  allow  customers’  applica¬ 
tions  to  sense  when  an  increase  in  computing 
power  is  needed  and  execute  that  at  once. 

Unlike  some  cloud  providers,  Baker  is  will¬ 
ingly  to  tell  you  about  security  defenses  in 
use,  such  as  the  Cisco  ASA  firewall. 

The  question  for  customers  is  how  far  the 
public  cloud  providers  are  going  to  pull  back 
the  kimono,  says  HP’s  chief  security  strategist 
Chris  Whitener.  “You  should  sort  of  insist  on 
that,”  he  says.  ■ 


Inside  the  cloud  security  risk 

While  cloud  computing  offers  many  benefits,  it  can  also 
create  numerous  information  security  risks.  A  report 
issued  by  the  watchdogs  at  the  Government  Account¬ 
ability  Office  found  these  threats  to  federal  agency 
and  consequently  private  and  public  enterprise  cloud 
projects: 

CONTROLS:  the  possibility  that  ineffective  or  non-compliant 
service  provider  security  controls  could  lead  to  vulnerabilities 
affecting  the  confidentiality,  integrity,  and  availability  of  agency 
information. 

LOSS:  the  potential  loss  of  governance  and  physical  control  over 
agency  data  and  information  when  an  agency  cedes  control  to 
the  provider  for  the  performance  of  certain  security  controls  and 
practices. 

BAD  APPLES:  the  insecure  or  ineffective  deletion  of  agency 
data  by  cloud  providers  once  services  have  been  provided  and 
are  complete:  and  potentially  inadequate  background  security 
investigations  for  service  provider  employees  that  could  lead  to  an 
increased  risk  of  wrongful  activities  by  malicious  insiders. 

SHARED  GOODS:  Multitenancy,  or  the  sharing  of  computing 
resources  by  different  organizations,  can  also  increase  risk  because 
one  customer  could  intentionally  or  unintentionally  gain  access  to 
another  customer's  data,  causing  a  release  of  sensitive  information. 
Another  concern  is  the  increased  volume  of  data  transmitted  across 
agency  and  public  networks.  This  could  lead  to  an  increased  risk  of 
data  being  intercepted  in  transit  and  then  disclosed. 
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►  Census,  from  page  10 

agencies  from  wanting  to  use  the  public  Internet  as  the  cloud,”  says 
Susan  Zeleniak,  group  president  of  Verizon  Federal.  “They’re  going  to 
want  to  use  private  clouds.  That’s  what  we  see  more.” 

Census  said  it  spent  $11.8  million  altogether  on  the  eight  cloud  com¬ 
puting  efforts  that  supported  the  2010  Census. 

In  January,  Census  began  using  Akamai  to  enhance  the  performance 
of  its  redesigned  Web  site  —  www.census2010.gov  —  which  features 
video  clips,  blogs  and  other  interactive  content  aimed  at  citizens.  The 
new  Web  site  attracted  4  million  to  5  million  hits  a  week  at  its  peak, 
about  double  the  traffic  of  the  bureau’s  legacy  Web  site  —  www.census. 
gov  —  aimed  at  statisticians. 

“For  our  new  Web  site,  we  went  to  the  cloud,”  McGrath  says.  “We 
went  with  an  infrastructure-as-a-service  solution,  and  what  a  great 
experience  that  was.  We  contracted  with  Akamai  to  use  their  CDN... 
At  the  peak  of  our  usage,  we  were  servicing  somewhere  around  85% 
of  our  content  from  the  edge,  and  it  was  not  even  coming  back  to  our 
infrastructure.” 

McGrath  says  using  the  Akamai  network  provided  a  better  Web 
experience  to  citizens  for  less  money  than  building  their  own  network. 
Akamai  also  provided  a  barrier  against  distributed  denial-of-service 
(DoS)  attacks. 

“That  was  a  huge  concern  for  us  that  in  the  height  of  the  decennial 
activity  if  we  were  a  target  of  a  [distributed]  DoS  attack  or  the  site  would 
go  down  or  the  performance  would  go  down  that  it  would  reflect  nega¬ 
tively  on  the  Census  Bureau  and  deter  citizens  from  participating,” 
McGrath  says.  “Using  the  CDN  was  a  huge  positive  lesson.” 


Census  also  used  several  software-as-a-service  (SaaS)  providers, 
including  RightNow,  which  provides  self-service  customer  support 
such  as  searchable  FAQs.  Census  says  it  was  able  to  get  RightNow  up 
and  running  25  days  after  purchasing  the  system.  Census  says  it  would 
have  taken  six  months  just  to  select  the  IT  infrastructure  required  to 
run  the  application  in-house. 

Census  uses  GovDelivery,  which  provides  outsourced  e-mail  deliv¬ 
ery  services  to  public  sector  clients.  GovDelivery’s  built-in  blogging 
tool  was  used  by  the  Census  Bureau  director  to  publish  a  blog  within 
days  of  buying  the  service. 

The  bureau’s  Integrated  Partner  Contact  Database  is  built  upon 
Salesforce.com’s  platform,  which  it  paid  for  on  a  subscription  basis. 
Census  was  able  to  tweak  the  configurations  on  the  Salesforce.com 
software,  rather  than  having  to  conduct  any  custom  programming. 

Census  also  uses  the  free  Google  Map’s  API  to  quickly  develop  map¬ 
ping  applications  including  an  assistance  center  lookup  and  an  interac¬ 
tive  road  tour. 

To  speed  up  acquisition  of  these  cloud-based  services,  Census  part¬ 
nered  with  other  federal  agencies  including  the  National  Institutes  of 
Standards  and  Technology  (NIST)  and  chose  SaaS  vendors  that  had 
already  been  certified  by  another  agency.  NIST  is  leading  a  federal 
cloud  computing  advisory  council  that  is  setting  cloud  standards  and 
certifying  cloud-based  service  providers  to  make  it  easier  for  agencies 
to  buy  cloud  computing  services. 

“We  didn’t  have  to  re-certify  and  re-accredit  the  systems,  and  it  really 
pushed  the  delivery  of  the  service  down  from  months  to  days  or  weeks,” 
McGrath  says. 

McGrath  says  the  bureau  is  looking  to  expand  its  use  of  commercial 
cloud-based  computing  services  where  appropriate,  and  is  also  lever¬ 
aging  its  experience  with  these  vendors  to  build  the  Census  private 
cloud. 

“We  have  a  pretty  aggressive  internal  cloud  effort  that  we  are  build¬ 
ing  out,”  McGrath  says.  “There  are  still  some  concerns  about  the  secu¬ 
rity  in  the  public  cloud.  I  have  every  confidence  that  those  will  work  out 
in  coming  years.  For  us,  [the  plan]  is  to  leverage  the  efficiencies  of  cloud 
technology  and  build  an  internal  cloud.” 

One  reason  Census  can  move  so  aggressively  into  cloud  computing 
is  that  it  has  been  migrating  to  virtualization  over  the  last  18  months. 
As  of  June,  the  agency  had  427  virtual  machines  running  on  57  server 
platforms.  Census  uses  VMware  as  its  virtualization  platform.  The 
bureau  says  it  has  spent  $6.1  million  on  the  hardware  and  software  for 
its  Windows  virtual  farm. 

“We’ve  highly  virtualized  our  Windows  environment,”  McGrath 
explains.  “We’ve  gone  from  a  model  where  we  had  one  application  on 
one  server.  Now  we’ve  got  hundreds  of  guests  in  our  virtual  farms,  and 
we  are  realizing  significant  savings  of  $2  million  a  year  because  we’ve 
compressed  down  our  hardware  footprint.” 

Next  up  for  Census  is  virtualizing  its  Linux  servers,  which  are  stan¬ 
dardized  on  RedHat.  “We’re  doing  a  cost-benefit  analysis,”  McGrath 
says.  “It  looks  like  of  our  1,000  Linux  servers,  80%  are  very  good  can¬ 
didates  for  virtualization  because  they  are  probably  running  at  20% 
utilization  or  less.” 

Census  also  is  looking  at  homogenizing  and  virtualizing  its  stor¬ 
age  platforms,  which  contain  more  than  2.5  petabytes  of  data  from  the 
decennial  census  and  other  regular  economic  surveys  that  the  bureau 
conducts. 

“Virtualization  is  a  piece  of  the  overall  cloud  architecture,"  McGrath 
says.  “It’s  a  logical  first  step  because  what  it  allowed  us  to  do  is  to  really 
show  in  a  limited  investment,  in  a  limited  scale,  the  benefits  of  the 
cloud... We’ve  been  able  to  demonstrate  to  our  customers  that  we  are  able 
to  reduce  our  footprint,  we’re  able  to  provision  services  more  efficiently 
with  less  operations  and  maintenance  costs,  and  our  security  costs  are 
reduced  because  we  can  do  security  at  the  architecture  level.”  ■ 
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TECH  PRIMER 


SIP  trunking:  A  primer 

How  connecting  your  IP  PBX  to  a  SIP  trunk  can  save  serious  cash 


BYBRADREED 

TDM  TRUNKS  have  long  served  to  connect  corporate  PBXs  to  the 
public  switched  telephone  network.  But  with  more  companies  mov¬ 
ing  to  VoIP,  SIP  trunking  has  become  an  increasingly  popular  technol¬ 
ogy  companies  can  use  to  simplify  their  network  architecture  and  save 
money.  Here  are  the  basics: 

Just  what  is  SIP  trunking? 

Let’s  take  it  one  part  at  a  time.  SIP  refers  to  Session  Initiation  Protocol, 
the  standard  developed  in  the  1990s  by  the  Internet  Engineering  Task 
Force  that  is  used  to  set  up  and  terminate  VoIP  calls  and  generate  dial 
tone.  A  SIP  trunk,  then,  is  a  broadband  Internet  link  that  utilizes  SIP 
to  connect  a  company’s  IP-based  PBX  to  an  Internet  telephone  service 
provider  (ITSP).  Instead  of  terminating  the  trunk  directly  at  the  IP- 
PBX,  for  security  sake  companies  tend  to  terminate  the  trunks  at  a  SIP- 
capable  session  border  control  system  that  acts  as  a  firewall. 

How  does  a  SIP  trunk  save  money? 

SIP  trunking  saves  money  by  drastically  consolidating  and  simplifying 
your  voice  architecture.  SIP  trunks  can  support  voice,  data  and  video  all 
over  IP,  meaning  a  single  trunk  can  replace  multiple  TDM  trunks. 

“If  you  have  multiple  offices  and  have  a  highly  distributed  network, 
you’re  probably  going  to  have  a  lot  of  TDM  trunking  going  into  those 
organizations,”  says  Michael  Leo,  of  Acme  Packet.  “With  SIP  trunking 
you  can  reduce  your  traditional  amount  of  TDM  connectivity  by  better 
utilizing  connectivity  across  the  board.” 

SIP  trunking  also  makes  it  possible  to  add  capacity  during  times  of 
high  call  traffic.  If  you  rely  on  T-l  lines,  for  instance,  you  have  to  purchase 
24  channels  even  if  you  only  use  five  of  them  at  any  given  time.  With  SIP 
trunking,  if  your  provider  supports  the  capability,  you  just  assign  band¬ 
width  to  locations  as  needed  to  deal  with  high  call  volume.  “Without  SIP 
trunking  you  have  to  buy  extra  lines  and  pay  for  them  all  year  whether 
you  need  them  or  not,”  says  Nemertes  Research  analyst  Irwin  Lazar. 
“With  SIP  trunking  you  can  burst  call  access  during  special  times.” 

How  much  money  can  it  save? 

Lazar  estimates  that  on  average  companies  that  adopt  SIP  trunking 
save  20%  to  60%  from  what  they  pay  now  for  TDM  trunks.  Citing  one 
case  study,  Leo  from  Acme  Packet  says  he  knows  of  one  company  that 
used  1,500  SIP  trunks  to  replace  2,250  trunks,  a  shift  that  reduced  tele¬ 
com  expenses  from  $5.4  million  per  year  to  $945,000  per  year. 

What  questions  should  I  ask  a  SIP  trunk 
service  provider  before  investing? 

The  big  one  is  simply  whether  SIP  trunks  will  be  available  for  all  your 
branches.  As  Leo  notes,  businesses  with  offices  in  rural  or  remote 
areas  could  have  difficulty  finding  a  vendor  that  covers  all  their  loca¬ 
tions:  “As  service  providers  ramped  up  they  have  addressed  large  met¬ 
ropolitan  areas  first.  But  when  you  get  to  more  remote  locations  it’s 
lagging  behind.  It’s  only  been  in  the  last  two  years  that  SIP  trunking 
has  become  available  to  enterprises.” 

The  second  big  question  has  to  do  with  interoperability,  as  many  SIP 
trunking  providers  will  only  support  a  limited  number  of  vendors.  In 
other  words,  some  SIP  trunk  providers  may  only  support  session  bor¬ 
der  controllers  from  Avaya  while  others  might  only  support  session 
border  controllers  from  Cisco. 


And  finally,  you’ll  want  to  ask  about  pricing  schemes,  both  in  terms 
of  overall  installation  costs  and  flexibility  to  quickly  and  affordably 
add  capacity.  Because  SIP  trunks  are  still  a  relatively  new  technology, 
they  don’t  really  have  standardized  pricing  schemes  and  can  vary 
widely  in  the  services  they  provide. 

“You’ll  definitely  want  to  ask  them  how  quickly  they  can  get  a  SIP 
trunk  up  and  running,”  says  Anne  Coulombe,  an  Avaya  executive. 
“Some  of  the  tier-two  service  providers  are  extremely  rapid  in  being 
able  to  ramp  up  SIP  trunks,  while  the  big  carriers  are  a  little  slower.” 

Is  there  any  business  where  a  SIP  trunk 
is  not  worth  the  investment? 

SIP  trunks  provide  the  most  efficiency  for  businesses  that  have  multiple 
locations  spread  out  over  a  wide  area.  If  you  only  have  one  central  loca¬ 
tion,  or  if  you  have  offices  that  are  located  in  a  very  concentrated  geo¬ 
graphic  area,  then  a  SIP  trunk  will  probably  not  be  worth  your  time. 

“If  you’re  a  company  that’s  already  oriented  toward  TDM  and  most 
of  your  calls  go  between  one  or  another  town,  then  you  might  not  need 
SIP  trunking,”  Coulombe  says.  “So  a  pharmacy  with  only  two  branches 
might  not  need  it,  but  if  that  pharmacy  grew  to  have  15  branches  then  SIP 
trunking  would  be  really  worthwhile  for  them.”  H 
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TREND  ANALYSIS 


Poor  SSL  set-up  can  kill  e-commerce 

Black  Hat  talk  will  show  how  poor  SSL  implementation  can  hurt  online  business 


BYTIM  GREENE 

ONLINE  MERCHANTS  are  shooting  them¬ 
selves  in  the  foot  with  faulty  SSL  deploy¬ 
ments  that  trigger  alarms  scaring  customers 
away  before  they  have  the  chance  to  complete 
transactions. 

The  problem  is  not  with  SSL  technology, 
but  with  factors  surrounding  its  implemen¬ 
tation  that  hurt  security  or  the  perception  of 
security,  either  of  which  can  undermine  cus¬ 
tomer  trust,  says  Ivan  Ristic,  director  of  engi¬ 
neering,  Web  application  firewall  and  SSL 
services  at  Qualys,  who  will  present  “State 
of  SSL  on  the  Internet:  2010  Survey,  Results 
and  Conclusions”  at  the  Black  Hat  2010  con¬ 
ference  later  this  month. 

Notable  among  the  problems  is  the  mis¬ 
match  between  the  domain  names  listed  on 
SSL  certificates  and  the  domain  names  of  the 
merchants,  he  says.  This  mismatch  triggers 
browser  popup  warnings  that  the  certificate 
may  be  invalid,  and  at  that  point  potential 
customers  may  choose  to  bail  out  of  transac¬ 
tions,  Ristic  says.  “We  are  creating  a  sense  of 
fear  among  customers  that  there  are  prob¬ 
lems  around  every  corner,”  he  says.  “Techni¬ 
cally,  SSL  is  a  very  good  protocol.  The  way  we 
use  it  today  is  not  very  good.” 

At  Black  Hat,  Ristic  will  reveal  the  results 
of  an  extensive  study  he  has  led  about  usage 
of  SSL  and  its  newer  incarnation  Transport 
Layer  Security  (TLS)  with  the  aim  to  address 
problems  that  appear  on  Internet  sites.  He  is 
still  crunching  the  numbers  from  his  year¬ 
long  survey  of  Web  sites,  but  has  a  sense  of 
prevalent  issues.  “There  is  some  evidence 
that  50%  of  all  SSL  problems  are  due  to  mis- 
configuration  and  do  not  come  from  any  vul¬ 
nerabilities  as  such,”  he  says. 


KIWMHU 


One-day  IT  event  coming  to  a  city 
near  you!  Five  IT  tracks,  vendor  expo, 
peer  case  studies,  featuring:  cloud  & 
virtualization,  convergence  &  wireless, 
data  centers,  managing,  controlling 
&  optimizing  application  delivery, 
secure  enterprises.  10  cities  in  2010, 
register  and  qualify  to  attend  free: 
http://events.networkworld.com 


SSL  done  wrong 

Researcher  Ivan  Ristic  will  tell  Black  Hat  2010  that  after  eliminating 
domain  names  for  a  variety  of  reasons  shown  here,  he  has  come  up 
with  comparatively  few  that  support  SSL  properly. 


J2M 

Warrant  further  consideration 

31.02M 

SSL  not  running  through  Port  443 

12.4WI 

Failed  to  resolve 

14.6  M 

Failed  to  respond 

21.93M 

Mismatch  of  domain  name  and 
domain  name  in  SSL  cert 


In  many  cases,  once  users  recognize  the 
shortcomings  of  their  implementations, 
they  could  fix  them  in  an  hour  or  so,  greatly 
improving  site  overall  security. 

He  says  his  talk  will  focus  on  three  areas: 
the  certificates;  which  version  of  SSL  is  used; 
and  configuration  weaknesses  in  type  of 
Web  server,  cipher  suites  and  protocol  sup¬ 
port  among  others.  The  survey  looks  for  sites 
using  known  insecure  versions  of  SSL  that 
should  have  been  replaced  and  other  bad 
practices  that  undermine  security,  he  says. 

The  goal  of  research  by  SSL  Labs  is  to  find 
best  practices  among  real  SSL  sites.  So  far,  the 
study  has  tried  to  find  as  many  SSL  servers 
as  it  can  on  the  Internet,  and  Ristic  decided  to 
do  so  by  connecting  to  as  many  of  the  193  mil¬ 
lion  registered  domain  names  as  possible.  He 
readily  got  all  the  .com,  .net,  .org,  .biz,  .us  and 
.info  names,  which  gave  him  the  119  million 
he  started  with. 

Then  he  weeded  out  the  ones  that  looked 
unpromising  —  those  that  failed  to  resolve 
(12.4  million)  and  those  that  failed  to  respond 
(14.6  million).  Of  the  remaining  91.65  million, 
only  33.69  opened  Port  443,  which  is  desig¬ 
nated  for  SSL.  Of  those,  22.65  million  were 
actually  running  SSL  through  the  port. 

According  to  SSL  Labs’  criteria,  certificates 
with  domain  names  that  don’t  match  the  sites’ 
domain  names  should  be  considered  invalid, 
ruling  out  another  21.93  million.  That  left  just 
719,093  SSL  sites  worth  considering  further 


to  find  out  how  to  do  SSL  right,  he  says. 

The  expense  of  setting  up  SSL  sites  through 
Web  hosts  may  also  be  a  factor  in  bad  imple¬ 
mentations,  Ristic  says.  Businesses  that  want 
to  process  customer  transactions  online  need 
SSL,  and  if  they  want  to  use  their  own  SSL 
certificates  that  feature  their  domain  names, 
they  also  need  unique  IP  addresses.  There  are 
hosting  services  that  share  SSL  certificates 
among  customers,  but  these  will  run  into  the 
problem  of  the  certificate  domain  name  not 
matching  the  business  domain  name. 

Hosting  SSL  servers  on  virtual  machines  as 
part  of  hosting  providers’  services  is  needed 
to  drop  the  cost  of  properly  carried-out  sites, 
Ristic  says. 

Improved  online  sales  also  depend  on 
performance  of  SSL  sites,  and  that  perfor¬ 
mance  will  be  the  subject  of  later  reports  by 
SSL  Labs,  he  says.  The  current  report  will 
tap  more  than  300  factors  that  an  automated 
scan  of  SSL  sites  performed  on  the  sites  SSL 
Labs  deemed  worth  pursuing. 

The  test  gleans  information  about  the 
domain  common  name,  alternative  names, 
revocation  information,  the  certificate  chain, 
validation,  flavors  of  SSL  and  TLS  supported 
and  whether  the  domain  supports  secure  and 
insecure  renegotiation. 

Each  scan  takes  5  to  50  seconds  depending 
on  network  latency,  and  the  gear  being  used 
can  run  500  tests  in  parallel,  completing 
about  five  per  second,  he  says.  ■ 
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Honeypots  for  hacker  detection 


MOST  CORPORATE  networks  lack  serious 
v  oversight,  that  is,  no  one  is  really  watching. 
Watching  the  network  and  computer  sys¬ 
tems  is  expensive,  overwhelming  and  fraught  with  false  positives.  No 
wonder  then  that  insider  attacks  go  undetected  for  months,  malware 
proliferates  stealthily  and  hackers  can  spend  their  time  gradually  infil¬ 
trating  deeper  and  deeper,  undetected.  It’s  simply  too  hard  to  discern 
between  legitimate  activities  and  illegitimate  or  malicious  activities. 
Without  context,  wading  in  the  enormous  volume  of  logs  or  network 
traffic  leads  to  information  overload.  How  to  tell  who’s  up  to  no  good? 
Well,  you  shall  know  them  by  their  deeds. 

Honeypots  are  an  underutilized  tactic.  Every  attack  has  an  explor¬ 
atory  component.  When  hackers  or  viruses  go  probing  networks  and 
systems  they  are  usually  able  to  do  so  unnoticed.  Unless  they  cause 
a  system  crash  or  overwhelm  a  system,  the  chances  of  detection  are 
pretty  low.  A  honeypot  is  a  system  that  detects  unusual  activity  by 
creating  false  targets.  In  a  network,  for  example,  a  simple  honeypot 
may  allocate  the  unused  IP  address  space.  Then  if  someone  attempts 
to  access  an  IP  address  that  is  not  used,  an  alert  can  be  generated.  Simi¬ 
larly,  a  port-based  honeypot  could  respond  to  requests  on  unused  TCP 
ports,  creating  the  illusion  of  services.  Entire  computers,  or  even  net¬ 
works  of  computers,  can  be  created  to  lure  attackers. 

Some  may  object  to  the  use  of  honeypots  because  they  might  be  seen 
as  “entrapment”  under  the  law.  I’m  recommending  the  use  of  honey¬ 
pots  for  detection  and  prevention  of  attacks,  not  prosecution.  If  some¬ 
one  is  accessing  a  system  that  has  no  DNS  name,  no  public  or  regis¬ 
tered  services,  no  legitimate  function,  then  it  is  quite  likely  that  they’re 


up  to  no  good.  Alerting  on  such  access  can  give  security  professionals 
advance  warning  of  attacks  with  fewer  false  positives.  Of  course,  there 
are  network  diagnostic  tools  and  other  management  tools  that  probe 
entire  networks,  but  it  is  not  very  difficult  to  exclude  those.  Honeypots 
can  even  automate  intrusion  prevention  by  temporarily  blacklisting  IP 
addresses,  thereby  acting  as  booby  traps  for  attackers. 

I’ve  applied  this  tactic  successfully  on  both  personal  and  corporate 
networks.  What  perplexes  me  is  that  there  are  so  few  vendors  offer¬ 
ing  honeypot-like  solutions  in  their  products  as  a  standard  security 
feature.  Network  equipment  (routers  and  switches)  could  offer  phan¬ 
tom  honeypot  networks  that  generated  alerts.  Virtualization  software 
could  create  entire  phantom  honeypot  data  centers.  Service  providers 
could  use  honeypots  on  unallocated  network  space.  Sophisticated  hon¬ 
eypots  can  even  “lure”  attackers  by  creating  the  illusion  of  success  and 
escalating  the  intrusion,  profiling  the  attacker  all  the  way  (see  www. 
mykonossoftware.com  for  one  example  of  this  tactic). 

There  are  very  few  legitimate  reasons  to  go  probing  in  the  dark 
recesses  of  most  networks,  operating  systems  or  applications.  Hon¬ 
eypots  give  us  an  opportunity  to  set  traps  in  those  spaces,  making  an 
attacker’s  exploratory  forays  risky  and  more  likely  to  be  detected.  A 
mirage  of  fake  systems  can  waste  attacker’s  time,  giving  us  a  head  start 
in  detecting,  identifying  and  thwarting  them.  That’s  how  you  catch 
hackers  with  honey.  ■ 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He 
can  be  reached  at  andreas@nemertes.com. 


1  Based  on  number  of  days  of  performance  leadership  tor  the  TPC-C,  TPC-H  10TB,  and  SAP  3-Tier  SD  benchmarks  between  June  1,  200s,  and  June  1,  zuiu.  i-or  more  inrormanon,  see  nnp://www.ipc.org  ana  nnp  /zwww sap.com/soiutions/ 
benchmark.  TPC.  TPC-C  and  TPC-H  are  trademarks  of  the  TPC.  IBM,  the  IBM  logo,  ibm.com,  DB2,  Power  Systems,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions 
worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  Is  available  on  the  Web  at  www.lbm.com/legal/copytrade.shtml.  ©  International  Business  Machines  Corporation  2010. 


Smarter  technology  for  a  Smarter  Planet 


What  exactly  does  a  benchmark  mean?  For  the  last  five  years,  IBM  DB2®  on  Power  Systems'  has  ranked  first 
on  three  of  the  industry’s  leading  performance  benchmarks,  longer  than  Oracle  and  Microsoft  combined.'  But  is  that 
the  best  way  to  think  about  the  possibilities  of  technology?  What  really  matters  isn’t  some  abstract  measure  of 
performance,  it’s  what  companies  actually  do  with  that  performance.  For  instance,  Globe  Telecom  is  using  a 
service  delivery  platform  from  IBM  to  increase  their  sales  by  112%.  EuResist  is  using  an  integrated  analytics  solution 
to  predict  the  most  effective  drug  combinations  for  individuals  with  HIV,  with  78%  accuracy.  And  CAIXA  Economica 
Federal,  one  of  the  largest  banks  in  Latin  America,  is  using  a  service  oriented  architecture  to  slash  infrastructure 
acquisition  costs  by  over  $330  million.  On  a  smarter  planet,  these  are  the  benchmarks  that  matter. 

A  smarter  business  is  built  on  smarter  software,  systems  and  services.  — 

Let’s  build  a  smarter  planet,  ibm.com/questions  .  .  ....  T? :*  1  '  . 


/ 
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TOOLS 

Ctera  brings  the 
cloud  down  scale 


Last  week  I  reviewed  the  Alex  e-book 
reader  from  Spring  Design  (tinyurl. 
com/3ac9xqw)  and  complained  that  the 
device  didn’t  support  PDF  or  text  docu¬ 
ments.  I  was  foolishly  relying  on  the  prod¬ 
uct  specs,  which  didn’t  mention  anything 
about  PDF  documents.  It  turns  out  that  the 
Alex  can  read  and  render  PDF  files,  but  here’s  the  rub: 
The  Alex  can’t  “re-flow”  the  content  in  a  PDF  file. 


Mark  Gibbs’  Gearhead 


This  is  to  say  that  when  you  zoom  in 
because  the  text  is  too  small,  the  text  on  each 
line  isn’t  reformatted  and  wrapped  to  fit  the 
screen.  This  means  you  have  to  scroll  left  and 
right  and  up  and  down  to  view  the  text. 

Scrolling  is  something  the  Alex  can  do  but 
it’s  tricky  because  you  have  to  press  the  syn¬ 
chronize  button  so  the  PDF  document  shown 
on  the  large  electronic  paper  display  (EPD)  up 
top  is  shown  on  the  device’s 
smaller  touch-sensitive  LCD 
display  below.  Then,  using 
your  finger,  you  move  the 
image  on  the  LCD,  and  the 
EPD  display  is  updated  to 
show  the  new  position. 

This  is  like  using  a  remote 
control  on  a  TV  and  makes 
for  an  experience  that  isn’t 
much  like  reading  a  book. 

And  when  you  leave  the 
document,  your  zoom  and 
position  settings  aren’t 
retained  so  when  you  return 
you’re  back  to  the  whole 
page  view.  This  is  hardly  an 
adequate  implementation  of  PDF  viewing. 

I’m  told  a  future  update  will  address  this. 

Even  so,  I  still  like  the  Alex. 

Now  onto  the  cloud,  which  is  still  the  hot 
technology  pin  up.  I  last  discussed  the  cloud 
when  I  reviewed  Gadinet’s  desktop  cloud 
storage  tool  some  months  ago. 


I  have  another  interesting  network  stor¬ 
age  solution  that  is  ideal  for  workgroup  or 
small  office/home  office  (SOHO)  use:  The 
Ctera  C200,  a  $499  device  that  provides 
network-attached  storage  (NAS)  services  as 
well  as  storage-area  network  (SAN)  services 
along  with  optional  backup  to  Ctera ’s  online 
storage  services. 

The  C200  is  a  small  (6.4  by  8.27  by  3.74 
inch)  device  that  con¬ 
sumes  a  measly  SO  watts 
of  power.  It  has  two  drive 
bays  for  3.5-inch  SATA 
drives,  which  can  be  hot 
swapped.  Given  that  3TB 
SATA  drives  are  now 
available  a  C200  could,  in 
JBOD  (Just  a  Big  Old  Disk) 
configuration,  provide  6TB 
which  should  keep  even 
large  workgroups  happy 
for  a  long  time.  Alternative 
storage  configurations 
include  RAIDO  (striped) 
and  RAID1  (mirrored). 

The  C200  is  configured 
through  its  Web  interface.  File  sharing  is  sup¬ 
ported  through  CIFS  (Windows  File  Sharing), 
AFP  (Apple  Filing  Protocol),  Apple  Time 
Machine,  FTP,  WebDAV,  and  good  ol’  rsync. 
Through  client  shares  a  so-called  “clientless” 
backup  is  supported. 

►  See  Gearhead, page  1 7 


I  have  another 
interesting 
network  stor¬ 
age  solution 
that  is  ideal  for 
workgroup  or 
SOHO  use. 


IT  asked 
and  answered 

Ron  Nutter  tackles  your 
tough  tech  questions  at 

tinyurl.com/yg2o434 


Our  HR  department  has 
come  to  me  with  a  request 
to  block  certain  types  of  Web 
sites,  i.e.,  file  sharing,  adult 
themed,  etc.  How  much  will 
a  solution  cost,  how  long  to 
implement  and  what  type  of 
ongoing  maintenance  sup¬ 
port  is  required/available? 

©  Two  solutions  that  come  to 
mind  are  Websense  and  Smart- 
filter.  These  options  will  require 
you  to  set  up  a  server  for  the 
application  and  make  some  minor 
changes  to  your  firewall  to  point  to 
the  tool  for  go/no  go  decisions.  In 
fact,  I  would  start  by  checking  the 
firewall  to  see  what  options  are 
supported.  If  funds  are  tight  I  no¬ 
ticed  this  option  that  SANS  posted 
-  tinyurl.com/35gwj63.  Basically  it 
involves  setting  up  a  Linux  server 
running  bind  with  some  configura¬ 
tion  scripts.  If  you  aren't  familiar 
with  Linux,  don’t  worry,  it  isn’t  that 
hard  to  do.  I  set  up  a  pair  of  bind 
servers  for  a  small  college  so  all 
requests  from  users  on  campus 
came  through  those  servers  but 
any  DNS  requests  that  came  from 
the  outside  were  met  with  a  DNS 
Root  hints  message  if  the  request 
was  for  a  domain  the  college 
wasn’t  hosting.  Once  you  decide 
on  how  you  are  going  to  proceed, 
make  sure  HR  and  Legal  are  both 
on  board.  It  is  a  good  idea  to  make 
legal  aware  of  what  is  going  on  in 
case  something  happens.  Keep 
good  records  to  make  sure  you  are 
protected,  including  a  good  e-mail 
trail  from  HR  on  their  approval  for 
the  changes.  Once  this  is  all  set 
up,  establish  a  formal  change  pro¬ 
cess  so  there  is  a  set  path  that  has 
to  be  followed  when  any  changes 
for  Internet  access  are  requested. 
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TRUE  FACT 


GADGETS 

Uploading  HD  video 
wirelessly?  Yes  you  can! 

Cool  Tools 

A  LOT  HAS  been  written  about  the  iPhone  4’s  ability  to  record  HD 
video,  and  its  inability  to  upload  via  the  AT&T  3G  wireless  network 
(maybe  next  year,  guys).  However,  there’s  another  way  you  can  record  HD 
video  and  upload  it  wirelessly  (via  Wi-Fi),  with  the  help  of  two  cool  tools: 


Keith  Shaw’s 


1  BILLION  GIGABYTES 
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Gibbs  has  a  clouded  view.  Your 
vision  to  gearhead@gibbs.com. 


►  Gearhead,  from  page  16 


Ctera  also  provide  an  installable 
client  for  Windows  XP,  Vista  and 
Windows  7  that  can  backup  open 
files  (unfortunately  there’s  no  sup¬ 
port  yet  for  server  versions  of  Win¬ 
dows,  OS  X  or  Linux).  Versioning  is 
supported  through  both  automatic 
and  manual  “snapshots”. 

Ctera  makes  it  possible  to  have 
your  C200  synchronize  with  Ctera’s 
online  backup  service  (the  device 
also  provides  content  encryption). 

This  is  all  easy  to  set  up  and  man¬ 
age,  making  it  usable  by  organiza¬ 
tions  with  limited  tech  support.  The 
C200  comes  with  5GB  of  online 
storage  and  is  free  for  the  first  30 
days.  After  that  subscriptions  start  at 
$9.95  per  month  for  10GB  and  go  up 
to  $99.95  per  month  for  200GB.  You 
can  also  attach  multiple  devices  (only 
C200s  are  currently  available)  to  an 
account,  which  provides  a  simple, 
centralized  management  strategy. 

But  there  are  a  few  minor  prob¬ 
lems:  the  Web-based  user  interface 
has  a  few  usability  issues,  there 
is  no  UPS  support,  and  the  event 
notification  service  doesn’t  support 
SMTP  servers  that  require  SSL  or 
TLS  secured  connections.  That  said, 
these  are  minor  in  comparison  to 
the  range  of  features  offered. 

So  that’s  it:  A  SAN,  NAS  and 
cloud  storage  solution  that’s  simple 
to  use,  simple  to  manage  and  has 
very  good  performance,  all  at  a 
reasonable  price.  The  Ctera  C200 
gets  a  rating  of  4.5  out  of  5. 


THE 

SCOOP 


DXG-A85V  Pro 
Gear  HD  video 
camera  and 
Eye-Fi  Pro  X2 
8GB  SDHC  card 


by  DXG,  about  $320  and  $150, 
respectively 

►  What  it  is:  The  DXG-A85V  Pro  Gear  video 
camera  offers  a  lot  of  the  same  features  found 
in  brand  name  video  cameras,  but  without 
the  brand  name  price.  This  model  includes 

a  10  megapixel  image  sensor,  12x  optical 
zoom,  and  can  record  videos  with  1080p 
resolution  at  30  frames  per  second,  or  720p 
resolution  at  60  frames  per  second.  The 
DXG-A85V  includes  a  3-inch  touchscreen 
display  for  easy  menu  option  navigation,  and 
an  HDMI  cable  and  interface  for  connecting 
to  an  external  display.  The  system  supports 
SDHC  cards  up  to  16GB  in  capacity,  and  this 
includes  the  8GB  Eye-Fi  Pro  X2  model.  Vid¬ 
eos  are  stored  in  the  .MOV  file  format. 

►  Why  it’s  cool:  The  camera  was  very  easy 
to  use,  the  LCD  screen  pops  out  from  the  side, 
and  the  touchscreen  was  a  nice  and  easy  way 
to  change  resolution 

settings  (we  tend  to  The  DXG-A85V  is 
shoot  in  720p  to  save  similar  to  brand  name 
on  file  sizes).  The  video  cameras  but  at 

dual-capture  mode,  in  a  l°wer 
which  you  can  record  price, 

videos  and  pictures 
simultaneously, 


was  a  very  nice  touch.  The  electronic  image 
stabilization  feature  was  handy. 

When  you  add  the  Eye-Fi  Pro  X2  card  to 
the  camera,  you  can  automatically  upload 
your  videos  and  photos  via  Wi-Fi  network 
to  a  photo  sharing  site.  The  card  features  its 
Endless  Memory  Mode,  which  automati¬ 
cally  frees  up  space  on  the  card  once  photos 
and  videos  have  been  uploaded.  The  card 
can  also  upload  images  and  videos  through 
AT&T  Wi-Fi  hot  spots.  But  for  the  most  part, 
you’ll  want  to  upload  photos  through  your 
own  Wi-Fi  network  at  home,  especially  if  you 
have  an  802.11n  network. 

Using  the  Eye-Fi  card  was  also  a  breeze; 
once  configured  it  was  a  great  way  to  quickly 
upload  photos  to  Facebook  and  other  photo 
sharing  sites,  and  the  software  lets  you 
choose  privacy  settings  on  photos,  as  well  as 
choose  only  the  photos  you  want  to  upload. 

►  Some  caveats:  On  the  camera,  I  would 
have  preferred  an  external  microphone  jack, 
which  can  help  in  noisy  environments.  On 
the  card,  I  have  no  complaints  other  than 
the  sticker  price  —  make  sure  that  wireless 
uploading  is  something  you  plan  to  do  fre¬ 
quently,  otherwise  you  can  pick  up  a  regular 
SDHC  for  a  lower  price. 

Grade  ★  ★★★-<  (out  of  five)  for  each 
product. 

Shaw  can  be  reached  at  kshaw@nww.com. 
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The  meteoric  rise  in  virtualization 
and  cloud  computing  has  thrown  _ 

traditional  network  security  off  its  axis. 

New  tools  and  approaches  are  needed  in  order  to 
protect  virtual  machines  and  cloud-based  data. 
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Virtual  machine  traffic  presents  a  new  challenge  for 
data  center  security  professionals 


Welcome  to  the  world  of  server  virtualization,  where  the 
threats  are  new  and  the  traditional  security  tools  such  as 
firewalls  and  intrusion -prevention  systems  (IPS)  don’t 
cut  it  anymore. 

Unfortunately,  at  many  enterprises,  security  strat¬ 
egies  haven’t  kept  pace  with  the  shift  to  x86  server 
virtualization.  “Many  companies  that  have  virtualized 
environments  haven’t  contemplated  the  security  ramifi¬ 
cations  of  what  they’re  doing  yet,”  says  John  Kindervag, 
a  Forrester  Research  analyst. 


PATRICK  QUINN 


ASSISTANT  VP  OF  THOMASTON  SAVINGS 
BANK  RELIES  ON  A  TOOL  FROM  CATBIRD  NET¬ 
WORKS  TO  PROTECT  HIS  VIRTUAL  SERVERS. 


STEVEN  VOTE 


Gartner’s  Neil  MacDonald  agrees.  “The 
general  awareness  level  of  issues  related  to 
virtual  security  isn’t  quite  where  we  need  it 
to  be,”  he  says. 

For  their  part,  IT  pros  tend  to  look  at  it  this 
way:  Since  physical  and  virtual  servers  run 
the  same  Linux  and  Windows  operating  sys¬ 
tems  on  the  same  hardware,  then  security  for 
the  former  is  adequate  for  the  latter.  “They’ll 
argue  that  nothing  has  changed  —  and  that’s 
a  dangerous  mistake,”  MacDonald  says. 

“When  you  virtualize,  you  introduce  a  new 
layer  of  software  and  all  of  the  Windows  and 
Linux  workloads  running  on  top  of  it  rely  on 
its  integrity.  The  first  and  most  important 
thing  you  need  to  do  is  acknowledge  this  new 
layer  and  establish  basic  security  hygiene 
around  the  configuration  and  vulnerability 
management  of  it,”  MacDonald  says.  “That’s 
basic  block  and  tackle.” 

Secondly,  IT  needs  to  figure  out  what  to  do 
about  the  network  blind  spot  that  virtualiza¬ 
tion  creates,  he  adds. 

“None  of  our  network-based  firewalls  or 
IPSs  in  the  physical  world  can  see  the  traffic 
being  switched  between  two  virtual  machines 
(VM)  in  the  same  box,”  MacDonald  says.  “The 
question  we  need  to  answer  is,  ‘Do  we  need 
security  controls  inside  of  the  virtual  server 
to  see  this  virtual  network  traffic?’  Maybe 
you  do  or  maybe  you  don’t  -  but  you’ve  got  to 
acknowledge  that  you  can’t  see  the  traffic  and 
if  something  bad  happens,  like  an  inter-VM 
attack,  you  won’t  be  able  to  see  it.” 

Many  enterprises  haven’t  focused  on  vir¬ 
tual  server  security  because  their  virtual¬ 
ization  deployments  are  immature.  When 
virtual  servers  are  only  used  for  test  and 
development  purposes  or  for  running  non- 
critical,  low-priority  applications,  security 
doesn’t  much  matter. 

But  that  changes  as  a  virtualization  layer 
moves  into  the  production  environment 
to  host  mission-critical  applications.  The 
deeper  entrenched  virtualization  becomes, 


the  greater  the  need  to  deploy  security  tech¬ 
nology  specifically  aimed  at  protecting  the 
virtual  infrastructure. 

Awakening  to  a  new  reality 

“We  did  originally  go  through  a  phase  where 
we  thought  physical  security  would  do.  But  as 
we  started  to  grow  our  virtualization  deploy¬ 
ment,  we  felt  we  needed  to  make  sure  we  were 
taking  proactive  steps  to  secure  our  customer 
information,”  says  Patrick  Quinn,  assistant 
vice  president  and  network  administrator  at 
Thomaston  Savings  Bank,  in  Connecticut. 

In  doing  so,  the  bank  set  up  secure  network 
segments  in  the  virtual  environment  much  as 
it  would  do  on  physical  infrastructure.  It  uses 
Catbird  Networks’  vSecurity  TrustZones  vir¬ 
tual  security  technology,  which  allows  VMs  of 
varying  trust  levels  to  share  a  common  host. 

TrustZones  lets  Quinn  control  traffic 
moving  between  VMs  based  on  policy.  For 
example,  Quinn  says  he  has  established  trust 
zones  for  each  branch,  as  well  as  several  for 
the  main  office. 

Likewise,  Interior  Health  Authority,  a 
regional  health  agency  in  Kelowna,  British 
Columbia,  is  hoping  to  incorporate  a  virtual 
server  layer  into  its  overall  security  architec¬ 
ture,  says  Kris  Jmaeff,  information  security 
specialist. 

“Definitely  one  of  our  goals  is  to  have  vis¬ 
ibility  within  the  virtualization  layer,"  Jma¬ 
eff  says.  “We’ve  got  certain  areas  where  we 
need  to  use  virtual  sensors  to  monitor  traffic 
within  our  virtual  server  world  or  cluster.” 

Toward  that  end,  Interior  Health  is  beta 
testing  HP  TippingPoint’s  Security  Vir¬ 
tual  Framework,  which  lets  security  teams 
monitor  vSwitch  —  the  virtual  switch  within 
VMware’s  platform  —  and  VM  changes  to 
identify  tampering  or  disablement  of  secu¬ 
rity  controls. 

In  addition,  HP  TippingPoint  virtual  IPS 
integrates  with  the  vTrust  virtual  security 
technology  from  Reflex  Systems.  Similar  to 


Catbird’s  TrustZones,  the  Reflex  technology 
lets  users  create  trusted  network  segments 
and  enforce  policies,  as  well  as  monitor,  filter 
and  control  VM-to-VM  traffic. 

“Our  goals  for  the  beta  test  are  to  increase 
our  knowledge,  obtain  more  insight  and  vis¬ 
ibility  on  infrastructure,  and  develop  pre¬ 
engagement,  pre-planning  ideas  of  what  we’re 
going  to  do  with  security  in  the  future.  This  is 
a  good  opportunity  to  learn  and  be  on  the  cut¬ 
ting  edge  of  virtual  security,”  Jmaeff  says. 

Virtual  security  vendors  step  up 

Catbird  and  Reflex  are  but  two  companies 
that  are  targeting  virtual  server  security. 
Others  include  start-ups  such  as  Altor  Net¬ 
works,  Apani  and  HyTrust,  as  well  as  well- 
established  security  vendors.  Besides  HP 
TippingPoint,  this  latter  group  includes  CA 
Technologies,  for  security  functions  such  as 
access  control  and  log  management;  Check 
Point  Software  Technologies,  for  virtual  fire¬ 
walls;  Juniper  Networks,  which  has  a  stra¬ 
tegic  alliance  with  Altor;  IBM,  for  IPS;  and 
Trend  Micro,  which  acquired  virtual  security 
start-up  Third  Brigade. 

“As  bigger  companies  jump  in,  this  signals 
that  there  is  a  need  for  these  types  of  prod¬ 
ucts.  It’s  just  a  matter  of  time  before  they  all 
have  virtualized  offerings  of  security  enforce¬ 
ment,”  Gartner’s  MacDonald  says. 

It  might  seem  logical  to  think  that  you 
would  defend  the  hypervisor  layer  the  same 
way  you  would  defend  physical  servers  —  by 
plugging  in  IPS  or  antivirus  software. 

But  MacDonald  disagrees.  “We  don’t 
believe  you  need  to  go  run  IPS  or  a  copy  of 
antivirus  in  the  hypervisor.  That  would 
defeat  the  whole  purpose  of  this  layer  being 
very  thin  and  hardened.  Rather,  good  con¬ 
figuration,  vulnerability  and  patch  manage¬ 
ment  disciplines  are  enough  at  that  layer,” 
MacDonald  says. 

Forrester’s  Kindervag  adds,  “They  say 
about  40%  of  issues  in  modern  networks 
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relate  to  configuration  or  other  types  of 
human  error.  That  leads  me  to  believe  that 
how  you  do  security  management  is  more 
critical  [than  hypervisor  security]  at  this 
moment,”  he  says. 

“What  vendors  really  are  talking  about 
now  is  protecting  the  VMs  and  traffic  between 
them  just  as  you’d  protect  workloads  in  the 
physical  environment,”  MacDonald  adds. 
“This  becomes  especially  important  when 
you  start  combining  virtual  workloads  of  dif¬ 
ferent  trust  levels  on  the  same  physical  serv¬ 
ers.  You’re  going  to  need  that  visibility,  that 
separation  and  that  policy  enforcement.” 

When  evaluating  virtual  security  products, 
he  advises,  select  those  that  are  optimized  to 
run  inside  the  virtualization  environment 
and  have  been  integrated  into  virtualization 
frameworks  from  Microsoft,  VMware  and 
Xen-based  virtualization  vendors. 

For  its  part,  virtualization  leader  VMware 
gives  virtual  security  companies  visibility 
into  VM  operations  via  its  VMsafe  applica¬ 
tion  programming  interface. 

“About  seven  major  security  vendors  have 
participated  as  VMsafe  partners.  They’ve 
developed  virtualization- aware  network  and 
endpoint  solutions  that  work  through  the 
hypervisor  in  a  privileged  fashion  with  high 
security,”  says  Venu  Aravamudan,  senior 
director  of  product  marketing  for  VMware’s 
server  business  unit. 

But  that’s  just  for  starters,  he  adds.  Earlier 
this  year,  at  the  RS  A  Conference  2010,  VMware 
previewed  how  it  envisions  next-generation 
virtual  server  security  technology  might  work. 
Working  in  conjunction  with  Trend  Micro,  it 
showed  the  ability  to  run  antivirus  processing 
on  a  host  machine  rather  than  VM  by  VM  as 
current-generation  products  do. 

“Once  this  technology  becomes  real,  in 
terms  of  a  shipping  product,  we  don’t  have 
the  need  for  an  agent  in  each  VM.  That  means 
better  performance,  less  to  manage,  lower  cost 
and  so  on,”  Aravamudan  says. 

It  also  means  new  capabilities.  “You  can  look 
at  this  model  to  drive  solutions  such  as  being 
able  to  detect  rootkits  in  the  files  hypervisors 
are  running  on,  discover  credit-card  and  other 
sensitive  information  in  VMs  and  check  the 
integrity  of  files,  for  example,”  he  says. 

Baked-in  security 

Morgan  Keegan  &  Co.,  one  of  the  nation’s 
largest  regional  investment  firms,  is  one  of 
the  few  companies  quite  comfortable  with  its 
virtual  security  posture.  “We  don’t  have  any 
security  concerns  today  in  the  way  that  we’ve 
deployed  the  virtual  environment,”  asserts 
Luke  McClain,  a  systems  engineer  with  the 
Memphis  firm. 


Forrester  Research  analysts 
suggest  these  policies  will 
ensure  a  secure  virtualization 
implementation: 

Manage  virtual  operating 
systems  as  you  do  ordinary 
ones.  In  other  words,  be 
vigilant  about  configuration, 
vulnerability  and  patch 
management  in  the  hypervisor 
and  guest  operating  systems. 

Segregate  hypervisor  and 
management  interfaces,  making 
sure  that  guest  operating  system 
virtual  machines  (VM)  don't  have 
access  to  the  control  mechanisms 
or  even  knowledge  of  the  hosts 
on  which  they're  running. 

Separate  administrative 
and  hypervisor  traffic  from 
production  traffic. 

Continuously  scan  hypervisor 
hosts  for  —  and  harden  them 
against  —  vulnerabilities. 

Don't  mix  VMs  of  varying  trust 
levels  on  the  same  physical  host. 

Don't  rely  on  the  hypervisor  to 
enforce  zone  boundaries  with  a 
physical  host.  Rather,  keep  VMs 
from  the  same  zone  together. 


That’s  because  Morgan  Keegan  took  secu¬ 
rity  into  consideration  from  Day  One  of  its  vir¬ 
tualization  project,  launched  in  March  2008. 
That  the  company  already  has  virtualized 
75%  of  its  server  infrastructure  —  roughly 
515  VMs  running  on  52  VMware  ESX  hosts 
across  three  data  centers  —  is  in  part  attribut¬ 
able  to  this  fact,  McClain  says. 

A  particular  IT  operational  goal  was  col¬ 
lapsing  the  company’s  traditional  firewalled 
DMZ  into  the  virtual  environment.  “We  felt 
that  we  could  really  benefit  by  bringing  those 
physical  machines  into  the  virtual  environ¬ 
ment  and  manage  them  while  still  leaving 
them  in  this  protected  pocket,”  says  Parker 
Mabry,  managing  director  network  systems 
engineering  at  Morgan  Keegan. 


This  required  close  planning  with  the 
information  security  group,  which  compared 
virtual  firewalls  against  what  it  knew  of  their 
physical  counterparts  —  in  its  case,  Cisco’s 
firewalls.  “They  compared  feature  to  feature, 
looking  for  things  like  robust  logging,  foren¬ 
sics  and  the  depth  and  granularity  of  locking 
down  machines,”  Mabry  says. 

“I  like  to  tease  that  usually  the  first  response 
we  get  from  corporate  information  security  is 
‘No’  —  it’s  that  tight,”  he  says.  “So  actually  get¬ 
ting  information  security  to  see  the  value  of 
being  able  to  use  a  virtual  firewall  in  the  vir¬ 
tual  environment  was  a  big  win  for  us.” 

To  harden  the  virtual  DMZ,  Morgan  Kee¬ 
gan  uses  Reflex’s  vTrust  Security  product. 

From  an  operational  standpoint,  the  com¬ 
pany  secures  VMs  through  tight  authentica¬ 
tion,  McClain  adds.  With  VMware’s  vCenter 
virtualization  management  tool  and  the  man¬ 
agement  interface,  “We’re  very  cognizant  of 
who  has  rights  to  any  virtual  machine  and 
keeping  close  track  of  that  specifically  and 
especially  in  the  DMZ  environment,”  he  says. 

VMware  encourages  its  partners  and  field 
service  organization  to  ensure  that  all  enter¬ 
prises  bake  security  into  their  planning  and 
designs,  as  Morgan  Keegan  has,  Aravamu¬ 
dan  says. 

While  the  security-first  encouragement 
doesn’t  always  stick  with  customers  just  start¬ 
ing  out  on  their  virtualization  journeys  or  who 
are  using  the  technology  in  limited  scenarios, 
larger  enterprises  do  get  it,  he  says. 

“Especially  at  those  customers  with  large 
percentages  of  workflows  deployed  on  virtual 
servers,  we  clearly  see  a  lot  more  discipline  in 
adhering  to  our  best  practices  and  security 
hardening  guidelines,”  he  adds. 

VMware  believes  that  just  as  virtualization 
enabled  massive  cost  savings  and  efficiency 
gains,  it  is  a  real  game-changer  when  it  comes 
to  security,  Aravamudan  says.  “It’s  definitely 
one  of  our  goals  —  and  we’ve  already  started 
to  prove  this  —  that  security  for  environments 
based  on  virtualization  will  be  better  than 
physical  security  as  it  exists  today  in  IT.” 

Gartner’s  MacDonald  agrees.  “What  we  see 
clearly  is  that  virtualization  is  not  inherently 
insecure,  but  that  it  gets  deployed  insecurely 
today.  But  this  problem  will  go  away  over  the 
next  three  to  four  years  as  IT  staffs,  vendors, 
the  tools  and  skills  mature,”  he  says.  “People 
will  be  deploying  securely  —  ideally  even 
more  securely  —  than  they  have  been  in  their 
physical  environments.”  ■ 

Schultz,  author  of  the  Network  World’s 
Network/Systems  Management  Alert,  is  a 
longtime  IT  writer  and  editor  in  Chicago.  You 
can  reach  her  at  bschultz5824@gmail.com. 
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YOU  WANT  A  SAFE  AND  SECURE  PLACE  TO  PUT  YOUR  CRITICAL  CORPORATE 
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How  to  secure  the  public  cloud 

New  thinking  and  new  tools  are  needed  to  securely  run  application 
workloads  and  store  data  in  the  public  cloud 


~  BY  BETH  SCHULTZ  ~ 


lie  cloud  services  as  being  too  insecure  to 
trust  with  critical  or  sensitive  application 
workloads  and  data.  But  not  Doug  Menefee, 
CIO  of  Schumacher  Group,  an  emergency 
management  firm  in  Lafayette,  La. 

“Of  course  there’s  risk  associated  with 
using  cloud  services  —  there’s  risk  associated 
with  everything  you  do,  whether  you’re  walk¬ 
ing  down  the  street  or  deploying  an  e-mail 
solution  out  there.  You  have  to  weigh  business 
benefits  against  those  risks,”  he  says. 

Menefee  practices  what  he  pl  eaches.  Today 
85%  of  Schumacher  Group’s  business  pro¬ 
cesses  live  inside  the  public  cloud,  he  says. 

The  company  uses  cloud  services  from 
providers  such  as  Eloqua  for  e-mail  market¬ 
ing;  Google  Apps  for  e-mail  and  calendaring; 
Salesforce.com  for  CRM  software;  Skillsoft  for 
learning  management  systems;  and  Workday, 
for  human  resources  management  software. 
“The  list  continues  to  go  on  for  us,”  he  says. 

Yet  Menefee  says  he  doesn’t  consider  him¬ 
self  a  cloud  advocate.  Rather,  he  says  he’s  sim¬ 
ply  open  to  the  idea  of  cloud  services  and  will¬ 
ing  to  do  the  cost-benefit  and  risk  analysis. 

To  be  sure,  the  heavy  reliance  on  cloud 
services  hasn’t  come  without  a  security 
rethink,  Menefee  says.  For  one,  the  company 
needed  to  revamp  its  identity  management 
processes.  “We  needed  to  think  about  how  to 
navigate  identity  management  and  security 
between  one  application  and  another  living 
out  in  the  cloud,”  he  says. 

Indeed,  rethinking  identity  management 
often  is  the  starting  point  for  enterprises 
assessing  cloud  security,  says  IDC  analyst 
Charles  Kolodgy.  They  have  to  consider 
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authentication,  administrative  controls, 
where  the  data  resides  and  who  might  have 
access  to  it,  for  example. 

“These  are  similar  to  what  enterprises  do 
now,  of  course,  but  the  difference  that  it  no 
longer  owns  the  infrastructure  and  doesn’t 
have  complete  access  to  the  back  end  so  it 
needs  strong  assurances,”  Kolodgy  adds. 

Start-ups  ServiceMesh  and  Symplified 
have  addressed  the  need  for  strong  cloud 
security  assurances.  ServiceMesh  offers  Agil¬ 
ity  Access  for  use  with  its  Agility  Platform, 
which  comprises  cloud  management,  gover¬ 
nance  and  security  tools  under  the  platform. 

Symplified  offers  Trust  Cloud.  Built  on 
the  Amazon  Elastic  Compute  Cloud  (EC2), 
Trust  Cloud  is  a  unified  access  management 


and  federation  platform  that  integrates  and 
secures  software  and  infrastructure  cloud 
services,  EC2  and  Web  2.0  applications. 

Schumacher  Group  uses  the  Trust  Cloud 
predecessor,  Symplified’s  SinglePoint,  an 
identity,  access  management  and  federation 
service  that  gives  users  single  sign-on  access 
to  multiple  cloud  applications.  SinglePoint 
also  lets  IT  rapidly  provision  and  de-provi- 
sion  access  to  all  applications  in  one  pass. 

Beyond  technology,  the  cloud  services 
model  gives  rise  to  a  new  way  of  thinking 
about  Schumacher  Group’s  operational 
resources,  Menefee  adds. 

“Large  cloud  providers  have  teams  and 
departments  tasked  full  time,  24/7,  to  do 
nothing  but  protect  their  customers’  sensitive 
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information  and  to  find  continuous  improve¬ 
ments  to  their  security,  monitoring,  intrusion 
control  and  so  on.  As  a  midsized  organization, 
I  don’t  have  a  full-time,  multiperson  depart¬ 
ment  focused  entirely  on  security.  With  cloud 
service  providers  I  feel  more  secure  because  I 
get  the  same  benefit  as  what  a  Fortune  500  or 
100  company  would  get  with  a  multitenant, 
secure  environment,”  he  says, 
y  And,  should  a  security  breach 
occur,  “Those  teams  will  be 
more  equipped  to  do  a  rapid 

*  response  than  my  internal 

s  people  would.” 

Certainly  with  your  enter- 

*  ,  QC?  prise  data  at  stake,  pushing 

'*  cloud  providers  to  deliver  the 

M  \  f  “l.  security  you  need  is  perfectly 

/Jr.  reasonable.  As  Forrester 

Research  analyst  Chenxi 
£}  Wang  says,  “Don’t  ever  com- 

Vi  promise  any  security  goals 

or  requirements  just  because 
V  you’re  moving  to  the  cloud.” 

‘ Cloud  services  providers 
:  "iC-'V-V-  should  go  the  extra  mile  on 
security  provisioning  —  and 
enterprises  have  to  hold  them 
to  it  contractually,  Wang  says. 
"If  a  cloud  services  provider 
**  ~  says  what  you  want  isn't  achiev- 

. able  or  that  it  can't  provide  evi- 

*  dence,  you  say,  ‘Look,  we’ll  go  to 
jgystfijE?  .rfS  another  cloud  provider  or  not  to 

the  cloud  at  all,”’ she  adds. 

K'»  1^^%  Schwan  Food,  in  Marshall, 
Minn.,  used  that  tactic  when 
j  /  pi  1:1  planning  a  virtual  disaster 
rngf.  recovery  architecture,  says 
CorV  Miller,  senior  IT  opera- 
w  tions  manager  for  the  mul- 

%  tibillion  dollar  frozen  food 
company. 

“We  told  our  providers, ‘You 
are  going  to  use  our  tools  and 
we  are  going  to  extend  them  into  your  envi¬ 
ronment,”'  he  says.  “And  I’ll  do  more  of  that  as 
I  expand  more  into  the  cloud.” 

The  choice  is  simple,  really.  Force  providers 
to  work  with  what  you  have  or  find  yourself 
working  with  yet  another  set  of  security  tools 
and  interfaces.  Chances  are,  you  can  even  get 
your  security  tool  vendor  to  contract  with  the 
provider.  Miller  says. 

Along  those  lines.  Reflex  Systems,  whose 
virtual  firewall  Schwan  uses  to  secure  its 
virtualized  infrastructure,  works  with  Com¬ 
puter  Sciences  Corp.  and  Savvis.  The  goal  is 
“bringing  some  consistency  to  security  and 
management  when  moving  between  private 
clouds  and  public  clouds,”  the  company  says. 

Schwan  fielded  solicitations  from  a  number 


of  cloud  providers.  However,  when  it  came 
right  down  to  it,  not  all  cloud  providers  were 
receptive  to  Schwan’s  mandates. 

“With  several  we  turned  around  and  said, 
‘We’ll  do  this  and  if  you’re  not  interested  in 
providing  that  capability  or  service  to  us,  we’ll 
go  somewhere  else  and  find  someone  who 
is,”’  Miller  says.  However,  he  cautions,  “we’re 
considered  very  mature  in  our  environment 
...  and  I’m  not  sure  smaller  companies  would 
have  that  luxury.” 

But  even  small  companies  would  be  wise  to 
look  out  to  the  future.  If  you’re  building  a  pri¬ 
vate  cloud  today  with  the  thought  of  extend¬ 
ing  to  the  public  cloud,  then  knowing  what 
security  tools  your  potential  provider  will  or 
won’t  support  could  impact  the  technology 
choices  you  make,  Miller  adds. 

“You  don’t  want  to  have  designed  your  pri¬ 
vate  cloud  and  then  find  out  that  the  external 
cloud  has  such  different  change  management 
or  encryption  processes,  for  example,  that 
it  almost  offsets  the  advantages  you  have  in 
expanding  or  moving  out  into  the  cloud.” 

Getting  tough  on  cloud  providers 

As  cloud  services  mature,  vendors  are  work¬ 
ing  on  tools  and  services  to  help  —  if  not  out¬ 
right  encourage  —  enterprises  to  make  these 
sorts  of  tough  demands. 

One  such  tool  is  Adaptivity’s  Blueprint4IT. 
With  it,  an  enterprise  can  create  an  IT  secu¬ 
rity  blueprint  that  takes  into  account  factors 
such  as  access  policies  and  the  sensitivity  of 
data  while  in  transit  and  at  rest,  as  well  as  the 
hardware  and  software  components  needed 
to  keep  data  flowing  securely  from  the  inter¬ 
nal  network  into  the  cloud. 

“Take  your  requirements,  generate  a  blue¬ 
print,  and  hand  it  to  your  service  providers 
and  say,  ‘Here’s  exactly  how  we’ll  be  setting 
up  our  infrastructure  and  how  you’re  going 
to  guarantee  it  on  the  other  side  as  part  of  our 
contract,”’  says  Tony  Bishop,  founder  and  CEO 
of  Adaptivity.  “Just  like  you’d  hand  a  blueprint 
to  a  general  contractor  and  say,  ‘Here  it  is.  Go 
build  my  house.”’ 

Or,  he  adds,  enterprises  could  use  Blue- 
print4IT  to  assess  their  service  providers  and 
help  them  score  the  maturity  of  their  security 
architectures. 

This  desire  of  enterprise  customers  to  con¬ 
duct  their  own  assessments  of  a  provider’s 
security  architecture  is  something  new,  agrees 
Neil  Ashizawa,  senior  manager  of  HP  software- 
as-a-service  products  and  cloud  solutions. 
Such  requests  aren’t  widespread  right  now,  he 
adds,  but  HP  does  field  them  from  time  to  time 
and  expects  to  see  the  numbers  grow. 

Toward  that  end,  HP  offers  Cloud  Assure, 
which  allows  enterprises  to  scan  and  do 
automated  penetration  testing  of  networks, 


operating  systems,  middleware  layers  and 
Web  applications  for  vulnerabilities.  This 
allows  the  enterprise  to  get  assurance  that 
the  cloud  provider  of  choice  will  be  able  to 
carry  application  workloads  securely  and 
keep  them  safe  from  unauthorized  access, 
Ashizawa  says. 

As  enterprises  approach  the  public  cloud, 
what  they  have  to  remember  is  that  “not  every 
application  is  going  to  make  sense  to  be  done 
securely  in  the  cloud,  but  neither  is  it  that  the 
cloud  can’t  be  made  secure  enough  for  any¬ 
thing,”  says  Gartner’s  John  Pescatore. 

Even  financial  firms,  government  agencies 
or  other  companies  with  highly  sensitive  data 
such  as  payment  card  information  or  medical 
records  can  find  the  necessary  protections  in 
the  cloud  if  they  look  hard  enough,  Pescatore 
says.  “I  may  say,  ‘That  type  of  data  can  never 
go  in  the  cloud’  or  I  might  say,  ‘How  about  if 
I  find  a  way  to  encrypt  the  data  and  store  it  in 
the  cloud?”’ 

As  an  example,  he  cites  a  demonstration  con¬ 
ducted  late  last  year  in  which  the  Navy  success¬ 
fully  showed  it  could  use  a  commercial  cloud 
infrastructure-as-a-service  platform  —  in  this 
case  Amazon’s  EC2  —  to  support  its  require¬ 
ments  securely.  The  demonstration  included 
the  use  of  Unisys’  ultra-secure  access  control 
and  security  technology,  called  Stealth. 

Developed  for  U.S.  Department  of  Defense 
war  fighters,  the  Stealth  technology  provides 
data  protection  for  Unisys  Secure  Cloud 
services. 

When  a  cloud  user  logs  in  and  authenti¬ 
cates  to  the  access  control  mechanism,  Stealth 
figures  out  who  the  user  is  and  to  which  com¬ 
munity  of  interest  he  belongs  and  with  what 
security  levels.  From  there,  the  user  only 
has  physical  access  to  participating  systems 
with  those  security  levels.  Before  a  packet  tra¬ 
verses  the  server  or  storage  network,  Stealth 
uses  a  patented  technology  to  break  it  into 
bits,  which  are  then  shuffled  into  three  or  four 
“piles.”  Stealth  encrypts  each  pile  separately 
and  then  sends  them  over  an  encrypted  link. 
The  process  is  reversed  at  the  other  end  of  the 
connection,  Noel  says. 

Another  approach,  Pescatore  says,  is  to  use 
dummy  data  in  place  of  sensitive  information 
out  in  the  cloud.  “Applications  work  fine  but 
sensitive  data  like  payment  card  information 
or  personally  identifiable  information  stays 
local,”  he  describes. 

Start-up  PerspecSys  offers  this  type  of  func¬ 
tionality,  initially  for  use  with  the  Salesforce. 
com  CRM  cloud. 

Clearly  enterprises  have  much  to  think  about 
as  they  consider  using  public  cloud  services. 
They’ve  got  to  take  a  risk-based  approach,  as 
has  Schumacher  Group,  with  a  strong  focus  on 
the  data  and  what  controls  are  needed.  ■ 
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Hungry  for  server  security 

How  Schwan  Foods  satisfied  its  craving  for 
virtualization-layer  security 

~  BY  BETH  SCHULTZ ~ 


sampling  innovative  technology,  Schwan 
Foods,  a  multibillion-dollar  frozen  food 
producer,  digs  right  in. 


The  Marshall,  Minn.,  company  became 
an  early  adopter  of  VMware  ESX  Server 
technology,  beginning  beta  tests  in  2001  and 
launching  its  formal  virtualization  project 
in  2002. 

By  2008,  Schwan  had  virtualized  two- 
thirds  of  its  servers,  says  Cory  Miller,  the 
company’s  senior  IT  operations  manager. 

Schwan’s  virtual  server  infrastructure 
today  comprises  55  ESX  hosts  running 
between  700  and  800  virtual  machines 
(VM).  In  addition,  44%  of  the  company’s 
18,000  desktops  are  virtual,  Miller  says. 

No  wonder  Schwan  began  hankering  for 
virtualization-layer  security  years  ago. 

When  Schwan  began  its  virtualization 
implementation,  it  decided  to  run  VMware’s 
ESX  on  bare-metal  hardware. 

That  was  a  way  to  avoid  having  to  worry 
about  operating  system  patches  or  security 
flaws  affecting  the  hypervisor,  Miller  says. 
“Still,  initially,  we  used  our  virtualization  for  a 
lot  of  transactional  data  but  not  for  credit-card 
processing  or  other  sensitive  data,”  he  adds. 

By  2005,  Schwan  felt  comfortable  moving 
sensitive  data  into  the  virtual  environment. 
It  used  traditional  physical  firewalls  to  mask, 
protect  and  segregate  user  environments 
across  the  development,  staging,  quality 
assurance  and  production  networks. 

But  it  didn’t  take  long  before  problems 
appeared. 

“I  could  put  different  kinds  of  sensitive 
data  —  credit  card  or  HIPAA,  say  —  on  the 
same  systems  and  lock  them  down  because 
we  followed  the  same  processes,  auditing 


and  compliance  for  them.  But  I  didn’t  want  to 
put  a  SharePoint  server  on  the  same  host  that 
was  processing  credit  cards,”  he  says.  “I  could 
track  the  data  going  host  to  host,  but  I  didn’t 
have  the  control,  monitoring  or  capabilities  to 
see  what  was  going  on  within  a  host.” 

Addressing  that  situation  meant  carving 
hosts  out  of  the  resource  pool  and  creating 
lockbox  environments  for  sensitive  data. 
And  that,  in  turn,  meant  Schwan  wasn’t  get¬ 
ting  enough  throughput  or  efficiency. 

So  Schwan  immediately  began  looking 
for  a  virtual  firewall  that  could  sit  at  the  vir¬ 
tualization  layer  and  do  the  segregation.  It 
selected  vTrust  Security  from  Reflex  System, 
at  the  time  one  of  the  only  companies  offering 
a  virtual  firewall,  Miller  says. 

Schwan  can  still  segment  sensitive  envi¬ 
ronments,  but  now  Miller  does  so  out  of  the 
entire  host  pool  rather  than  carving  off  sec¬ 
tions  of  it,  he  explains.  The  virtual  firewall 
inspects  traffic  on  a  host  and  blocks  its  move¬ 
ment  from  one  guest  machine  to  another. 

This  gives  Schwan  the  ability  to  run  vir¬ 
tual  desktops  with  greater  peace  of  mind,  for 
example.  “We  might  have  some  executive  or 


high-risk  virtual  desktops  that  we  keep  track 
of  through  user  monitoring  or  auditing.  We 
don’t  want  a  plant  user  on  the  other  side  of  the 
world  being  able  to  get  to  that  person’s  desk¬ 
top.  Now  those  virtual  desktops  can  sit  on  the 
same  hosts  and  I  don’t  have  to  worry  about  the 
potential  for  interaction,”  Miller  says. 

In  its  implementation,  Schwan  was  careful 
to  create  the  same  types  of  firewall  rules  as  it 
has  for  the  physical  firewalls  and  personal 
firewalls  running  on  user  desktops,  Miller 
says.  “That  way,  guests  running  on  a  host 
are  protected  within  the  host  and  as  soon  as 
they  exit  the  virtual  switch  because  they’ll 
move  directly  into  the  segmentation  created 
by  the  physical  firewall  using  the  same  rule 
sets,”  he  explains. 

This  also  facilitates  auditing.  As  VMs  are 
moved  from  host  to  host  through  VMware’s 
VMotion  technology,  they  get  dropped  into 
the  same  type  of  firewall  environment  or  seg¬ 
regated  subnet  as  needed.  “By  taking  a  vir¬ 
tual  firewall  and  being  able  to  release  those 
rules  so  they  go  across  the  entire  set  of  hosts 
within  that  pool,”  Miller  says,  “I’m  protected 
wherever  that  guest  goes.” 
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Hekaudios  Maglnify  Call  Center 

Winner  of  the  DEMO  $  1  Million 
People's  Choice  Media  Prize 

eXaudios  developed  capabilities  to  understand  people's  emotions  through  their  voice 
in  real  time  as  they  speak.  Launching  at  DEMO,  this  revolutionary  new  product  is  designed 
for  call  centers  and  can  mitigate  escalations,  identify  fraudulent  situations,  provide  "how-to" 
recommendations,  and  monitor  performance  by  management. 

Watch  their  award-winning  product  launch  at: 

www.demo.com/DEMOSpring2010PC 

www.exaudios.com  exaudios 
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CLEAR  CHOICE  TEST:  FIREWALL  MANAGEMENT 


Extreme  firewall  makeover 

Skybox,  RedSeal  lead  the  way  among  five  vendors  with  tools 
to  improve  firewall  efficiency,  identify  vulnerabilities,  meet  audit  goals. 

~  BY  ROB  SMITHERS ~ 


nyone  running 
multiple  firewalls  in  a  complex,  enterprise 
environment  knows  how  difficult  it  can 
be  to  catch  misconfigurations,  avoid  con¬ 
flicting  rules,  identify  vulnerabilities,  and 
meet  auditing  and  compliance  mandates. 


We  looked  at  five  firewall  operations 
management  products:  AlgoSec’s  Firewall 
Analyzer,  RedSeal’s  Network  Advisor  and 
Vulnerability  Advisor,  Secure  Passage’s  Fire- 
Mon,  Skybox’s  View  Assure  and  View  Secure 
and  Tufin’s  SecureTrack.  These  products 
perform  similar  core  functions:  they  retrieve 
configuration  files  of  firewalls  (and  other 
network  devices),  store  the  data  and  analyze 
it.  They  can  look  at  change  history,  analyze 
existing  rules,  perform  rules-based  queries, 
re-order  rules,  and  send  out  alerts,  if  policies 
are  violated.  They  can  also  create  automated 
compliance  audit  analysis  and  reports. 

They  can  also  do  modeling  and  war-game 
analysis  based  on  a  snapshot-in-time  version 
of  the  network.  Plus,  AlgoSec,  RedSeal  and 
Skybox  can  provide  network  diagrams  and 
topology  views  of  the  underlying  networks. 

Overall,  we  were  most  impressed  with 
RedSeal  and  Skybox,  which  cover  all  the 
basics,  plus  have  the  added  benefits  of  being 
able  to  support  multiple  vendor  vulnerabil¬ 
ity  scanning  products.  However,  we  were 
impressed  with  all  of  the  products. 

AlgoSec’s  Firewall  Analyzer  had  an  intui¬ 
tive  interface  and  came  with  predefined  stan¬ 
dard  audit  and  analysis  reports.  Installation 
was  simple  and  the  program  offered  a  wizard 
for  easy  data  collection. 

Network  Advisor  and  Vulnerability 


Advisor  from  RedSeal  answered  questions  on 
how  well  the  network  is  configured  to  protect 
from  Internet  threats.  The  programs  generate 
vulnerability  reports  showing  weaknesses 
in  the  network,  and  contain  pre-configured 
compliance  management  reports. 

FireMon  from  Secure  Passage  performs 
real-time  analysis  on  device  configuration 
and  stays  current  by  using  an  automated 
analysis  of  compliance  guidelines.  There  is  a 
wizard  to  import  device  information  en  mass 
for  large  networks. 

Skybox  View  Assure  and  Skybox  View 
Secure  can  automate  the  collection  schedule 
of  configuration  files  by  the  hour,  day,  week, 
month  or  year.  A  built-in  ticketing  system 
supports  access  change  tickets  and  policy 
violation  tickets. 

SecureTrack  from  Tufin  has  a  What-If 
analysis  feature  to  test  changes  to  policies 
before  they  are  implemented.  Predefined 
analysis  and  reporting  options  are  based  on 
industry  best  practices. 

AlgoSec  Firewall  Analyzer 

We  tested  AlgoSec’s  Linux-based  Firewall 
Analyzer  software  package,  which  consists 
of  an  analysis  engine,  collection  engine,  Web 
server,  administrative  GUI  for  local  and 
remote  administration,  and  user,  policy  stor¬ 
age  and  syslog  databases. 

The  analyzer  engine  runs  queries  on  the 
data  collected,  based  on  predefined  or  cus¬ 
tom  rules,  and  then  generates  a  detailed 
report.  The  Web  server  sends  e-mail  alerts  to 
the  firewall  manager. 

We  installed  it  as  a  VMware  appliance  on 
our  Dell  600SC  server.  Once  the  VMware 
player  is  loaded  onto  the  Firewall  Analyzer,  it 
boots  up,  and  logging  in  as  root  will  bring  up 
the  Firewall  Analyzer  browser  application. 

There  are  three  methods  for  data  collec¬ 
tion  —  a  wizard,  semi-automated  scripts,  or 
doing  it  manually,  which  is  time  consuming 
and  could  result  in  errors. 

Once  files  are  retrieved  and  stored,  Fire¬ 
wall  Analyzer  runs  a  risk  analysis  based  on 
PCI  compliance,  NIST,  SANS  Top  20  and 
vendor  best  practices.  In  addition,  we  found 


that  we  could  create  custom  analysis  reports. 
Selecting  the  Firewall  Reports  option  displays 
charts  and  a  connectivity  diagram  summariz¬ 
ing  changes,  findings,  policy  optimization, 
rule  reordering,  firewall  information  and  a 
firewall  connectivity  diagram.  Choosing  the 
Risks  option  displays  the  findings  with  risk 
codes  and  details  about  the  risk  with  sugges¬ 
tions  and  diagrams  on  how  to  deal  with  it. 

AlgoSec’s  Change  History  Report  detailed 
changes  in  rules  on  the  firewall.  On  the  bot¬ 
tom  of  the  Change  History  dashboard  are 
features  to  run  interactive  traffic  queries  to 
compare  the  report  with  others,  and  to  create 
a  group  report  with  other  firewalls. 

The  Optimization  Policy  feature  provides 
the  Rules  Cleanup  and  Reordering  tools. 
Some  rule  types  flagged  in  a  Cleanup  Report 
are  labeled  as  unused,  covered,  redundant, 
disabled,  and  rules  with  a  non-compliant 
name.  The  Rule  Reordering  Report  gave  us 
information  on  how  to  improve  a  rule. 

The  AlgoSec  Firewall  Analyzer  client 
application  dashboard  is  well  organized  and 
multi-tiered,  making  it  easy  to  find  features 
and  wizards.  There  are  pre-defined  compli¬ 
ance  audits  such  as  PCI-DSS,  ISO/IEC 27001, 
Sarbanes-Oxley  and  others.  A  drawback  was 
the  lack  of  integration  with  a  vulnerability 
scanner,  but  AlgoSec  is  an  excellent  product 
for  compliance  auditing  and  compliance  and 
rule  optimization. 

RedSeal  Network  Advisor 
and  Vulnerability  Advisor 

With  RedSeal  Network  Advisor  4.1  and  Vul¬ 
nerability'  Advisor  4.1,  you  can  automate  the 
process  of  analyzing,  identifying,  quantify¬ 
ing  and  mitigating  risk  and  vulnerabilities 
in  complex  networks.  Network  Advisor  uses 
plugins  to  import  configuration  files  from  each 
supported  device.  We  could  create  a  unified 
network  topology  map  with  a  best  practices 
analysis  and  solutions  for  remediation  after 
we  imported  risk  and  vulnerability  analyses. 

Both  Network  Advisor  and  Vulnerability 
Advisor  require  importing  router,  switch  and 
firewall  configuration  files  to  the  database. 
The  analytical  engine  processes  information 
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that  includes  host  names,  IP  addresses,  sub¬ 
net  masks  and  device  interfaces.  Analysis 
results  appear  in  the  form  of  graphical  dis¬ 
plays,  reports,  maps  and  charts  detailing  the 
current  status  and  configuration  of  the  net¬ 
work.  Plugins  are  available  for  a  wide  range 
of  products  from  Cisco,  Check  Point,  Juniper 
and  dozens  of  others. 

After  device  configuration  files  are 
imported  into  the  RedSeal  Advisor,  the  files 
were  checked  against  RedSeal’s  best  prac¬ 
tices  database.  We  could  drill  down  to  locate 
the  offending  policy  by  double-clicking  on  a 
selected  row.  Any  changes  to  hosts  and  devices 
could  be  analyzed  and  reported  with  the  View 
Changes  application. 

We  accomplished  rule  usage  analysis 
and  reordering  by  using  RedSeal’s  Custom 
Best  Practice  Check  feature.  Using  a  regular 
expression  tool,  we  could  search  the  configu¬ 
ration  files  and  use  the  available  plugin  asso¬ 
ciated  with  the  device.  We  performed  what-if 
analysis  to  determine  if  changes  to  a  rule 
would  adversely  affect  the  network. 

RedSeal  provides  preconfigured  compli¬ 
ance  management  analysis  reports.  We  could 
add  and  schedule  custom  reports  to  run  at 
specific  times.  We  could  analyze  and  report 
on  how  well  our  network  was  configured  com¬ 
pared  to  best  practice  checks,  and  what  assets 
were  exposed  to  the  Internet. 

RedSeal’s  interface  for  running  vulner¬ 
ability  analysis  presents  a  topology  map  of 
the  network,  offering  a  graphical  method  for 


analyzing  network  vulnerabilities.  The  map 
states  highly  detailed  information  quantifying 
the  risk,  based  on  the  Common  Vulnerability 
Scoring  System  (CVSS). 

RedSeal  integrates  their  product  with  sev¬ 
eral  well  known  vulnerability  scanners,  such 
as  Qualys,  nCircle  and  McAfee.  We  recom¬ 
mend  this  product  for  quantifying  risk  and 
vulnerabilities  and  to  allocate  resources  based 
on  asset  value. 

FireMon  from  Secure  Passage 

FireMon  from  Secure  Passage  manages  fire¬ 
walls  by  reporting  on  changes  to  the  firewall 
policy,  checking  unused  rules  and  reporting 
how  traffic  flows  through  rules.  Compliance 
is  safe  guarded  by  the  program’s  automated 
analysis  of  compliance  guidelines  such  as 
PCI  and  National  Security  Agency  (NSA). 

The  FireMon  architecture  includes  an  appli¬ 
cation  server,  data  collector  and  a  graphical  user 
interface  (GUI).  The  application  server  tracked 
the  data  collected,  performed  real-time  analy¬ 
sis  on  transactions  and  device  configuration 


and  generated  scheduled  reports.  The  data 
collector  is  a  FireMon  application  running  on 
an  appliance  or  PC  to  monitor  and  collect  data 
from  firewalls,  switches  and  routers. 

After  installing  the  FireMon  management 
client  on  Windows  Vista,  which  was  a  quick 
process,  we  logged  into  the  FireMon  server 
with  a  user  name,  password,  IP  address  and 
port  number  to  bring  up  the  management 
console. 

FireMon  offers  a  wizard  for  importing 
Check  Point,  Cisco,  FS,  Juniper,  Nokia  and 
McAfee/Secure  Computing  devices.  Once  the 
entries  are  made  to  the  wizard,  all  the  associ¬ 
ated  firewalls,  management  servers  and  log 
servers  are  auto-discovered  and  added  auto¬ 
matically  in  sequence. 

We  used  the  Firewall  Traffic  Flow  Analy¬ 
sis  tool  to  produce  a  report  that  zeros  in  on 
“Any”  rules  configured  on  firewalls  in  a  large 
network.  We  could  fine  tune  the  firewall  rules 
by  reducing  or  eliminating  overly  permissive 
“Any”  rules  and  large  complicated  ones. 

We  generated  FireMon’s  Rule  Recommenda¬ 
tion  Report  that  offers  analyzing  issues,  such 
as  a  request  for  https  traffic  from  source  and 
destination  addresses.  The  report  showed  if  a 
policy  existed  for  the  requested  access. 

We  examined  the  Rule  Comparison  feature 
that  analyzes  the  changes  to  a  device’s  policy 
rule  changes  made  over  time.  We  saw  color- 
coded  icons  for  change,  inserted,  deleted  and 
the  same.  You  can  revert  back  to  a  known 
good  state  using  this  report,  which  helps  with 
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Product  Firewall  Analyzer  Network  Advisor  &  FireMon  View  Assure  &  SecureTrack 

_  Vulnerability  Advisor  View  Secure  _ 

Company  Algo  Sec  RedSeal  Secure  Passage  Skybox  Tufin 


Price 


Pros 


Cons 


$19,900  for  FireFlow 
software 

$4,995  for  appliance 
$1,900  per  firewall 

$550  audit  license 

$30,000  base  price  and  $800 
per  Layer  3  Device  for  Network 
Advisor 

•  $30,000  base  price  and 
$900/Layer  3  Device  for 
Network  Advisor  & 

Vulnerability  Advisor 

$1,000  per  enterprise 
firewall,  site  licensing 
available. 

Special  pricing  available 
for  other  or  smaller 
environments. 

$50,000  for  enterprise 
solution.  Additional  license 
costand  consulting/ 
support  may  be  required. 

$20, OOOfor  Tufin 

Security  Suite. 

$5,300  for  Tufin  Appliance. 

$600  for  SecureTrack 

Audit  license. 

Intuitive  interface; 
predefined  industry 
standard  audit 
analysis  and  reports. 

Semi-automated 
data  collection. 

Automated  import  of  config 
files  and  update  scheduling. 

Powerful  tools  for  determining 
risk,  vulnerabilities, 

Supports  multiple 
scanning  vendors. 

Can  run  what-if  analysis. 

Clear,  integrated  workflow 
and  planning  tool. 

Custom  extensions 
available  for  download 
and  development. 

Built-in  ticketing  system. 

Excellent  tools  for  risk  and 
vulnerability  scoring. 

Multiple  third-party  vulnerability 
scanners  supported. 

Network  topology  mapping . 

Well-designed 
intuitive  interface. 

Pre-configured  analysis 
and  reports  based  on 
industry  best  practices. 

"What-if"  analysis. 

Initial  configuration  file 
import  is  not  automated. 

Scanning  tools  and  risk 
and  vulnerability  scoring 
is  not  supported. 

Workflow  application 
not  provided. 

Risk  and  vulnerability 
calculations  not  clearly 
documented. 

Risk  and  vulnerability 
scoring  are  not 
supported. 

Scanningtoolsarenot 

supported. 

Difficulty  getting  the  server 
to  start  on  the  first  install  on 
Windows  XPSP3. 

Couid  not  get  the  Microsoft 

Vista  installer  to  work. 

Configuration  of  devices  and 
SecureTrack  software  was 
difficult. 

Third-party  vulnerability  scan¬ 
ning  vendors  not  supported. 
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institutional  knowledge  transfer. 

Secure  Passage  has  an  interface  that  is  well 
organized  with  features  that  are  easy  to  navi¬ 
gate.  Some  of  the  analysis  and  report  wizards, 
such  as  the  Rule  Recommendation  Report, 
displayed  helpful  examples  showing  how  to 
set  parameters. 

Although  the  FireMon  Rule  Comparison 
Analysis  Report  was  confusing  at  first  with 
its  color-coded  parameters  that  indicated 
changes,  we  feel  that  FireMon  has  excellent 
analysis  features  for  optimizing  rules  and 
creating  audit  trails.  This  product  should  be 
considered  a  good  firewall  management  solu¬ 
tion  for  the  enterprise  environment. 

Skybox  View  Assure  and 
Skybox  View  Secure 

The  Skybox  Risk  View  platform  is  comprised 
of  two  products:  the  Skybox  Secure  4.5  for  risk 
exposure  and  security  profile  analysis,  and 
threat  alert  management,  and  Skybox  Assure 
that  manages  the  firewall  and  performs  net¬ 
work  compliance  auditing.  The  platform  appli¬ 
cation  is  scalable  and  is  made  of  the  Skybox 
View  Server,  Skybox  View  Collector,  Skybox 
View  Manager  and  Skybox  View  Dictionary. 
The  dictionary  is  the  database  for  definitions 
and  profiles  for  vulnerabilities,  threats,  worms 
and  network  security  policies. 

Skybox  uses  vulnerability  scanners  and 
analysis  to  categorize,  quantify  and  priori¬ 
tize  threats  to  the  network.  Using  the  Skybox 
Assure  software  suite,  we  managed  network 
policy  validations,  regulatory  compliance 
audits  and  network  device  changes.  With  the 
automation  features  provided,  we  ran  audit 
checks  on  thousands  of  firewall  rule-bases. 

We  found  that  the  install  documentation  for 
Skybox  was  excellent.  Skybox  provides  sev¬ 
eral  methods  to  import  device  configuration 
files  into  the  Skybox  View  database.  There  are 
also  several  ways  to  automate  the  configura¬ 
tion  collection  process.  If  configuration  data  is 
located  in  a  database  or  file  repository,  the  data 
can  be  directly  imported  into  Skybox  View. 
You  need  additional  Skybox  View  Collectors 
if  you  want  to  directly  import  configuration 
files  on  segmented  networks. 

We  used  the  Operational  Console  to  create 
tasks  using  the  New  Task  wizard  and  select¬ 
ing  a  Task  Type.  There  is  a  convenient  option 
for  scheduling  collection  that  can  be  set  for 
a  specific  hour,  or  to  be  run  daily,  weekly, 
monthly  or  yearly.  We  could  also  program  the 
Task  Wizard  to  schedule  data  import  from  file 
repositories  with  configuration  files. 

We  could  create  task  sequences  to  run  the 
tasks  at  a  scheduled  time. 

We  saw  that  APIs  were  also  available  to 
facilitate  integration  with  large  third  party 


management  tools,  such  as  Opsware,  to  obtain 
stored  configuration  files. 

Once  the  configuration  files  are  loaded 
into  Skybox  View,  the  compliance  auditor 
in  Skybox  View  Assure  uses  its  predefined 
best-practice  access  policy  to  analyze  the  fire¬ 
wall  policies.  We  used  the  Policy  Compliance 
Report  table  to  view  Violated  Rules,  Access 
Compliance  and  Rule  Compliance. 

We  tested  the  Risk  Exposure  Analyzer  that 
simulates  potential  attack  and  access  scenarios. 
After  Skybox  Secure  builds  a  virtual  map  of  the 
security  model,  a  business  impact  analysis  is 
created  for  what-if  attack  scenarios. 

Results  of  the  attack  are  used  to  calculate  the 
business  impact  of  a  security  breach  in  terms  of 
confidentiality,  integrity  and  availability.  Sky¬ 
box  Secure  can  import  business-impact  rules 
and  regulations  to  classify  assets  and  deter¬ 
mine  an  accurate  risk  assessment  metric. 

We  used  the  Access  Analyzer  feature  in 
Skybox  View  Assure  to  answer  questions 
about  network  access.  It  can  be  used  for  What- 
If  model  test  scenarios  and  for  connectivity 
analysis  on  live  networks. 

For  tracking  changes,  we  used  the  Change 
Tracking  option  in  Skybox  View  Assure. 
We  saw  that  you  could  keep  records  of  net¬ 
work  and  firewall  changes  for  compliance 
recordkeeping. 

Skybox  View  Assure  offers  change  control 
and  workflow  with  a  ticketing  system.  While 
the  Firewall  Compliance  Auditor  supports 
Access  Change  tickets,  the  Network  Compli¬ 
ance  Auditor  supports  both  Access  Change 
and  Policy  Violation  tickets. 

We  were  impressed  with  the  modeling  capa¬ 
bilities  of  the  Sky  Box  View  Firewall  Assurance 
product.  We  could  simultaneously  store  three 
models  of  the  network  for  running  comparison 
analyses.  A  side-by-side  analysis  report  makes 
it  effortless  to  see  the  changes  between  two  ver¬ 
sions  of  the  same  network  model. 

Skybox  View  Risk  Exposure  Analyzer  pres¬ 
ents  features  to  organize  the  network  based  on 
business  units  and  assets.  We  obtained  net¬ 
work  vulnerability  data  from  second  party  vul¬ 
nerability  scanners  such  as  Nessus  and  Qualys. 
Using  attack  scenario  options,  we  generated 
detailed  reports  on  vulnerabilities  uncovered 
by  the  simulation.  Although  we  did  not  see  a 
predefined  vulnerability  test  suite  for  running 
attack  situations,  the  Risk  Exposure  Analyzer 
is  a  valuable  asset  when  combined  with  the 
modeling  capabilities  of  View  Firewall  Assur¬ 
ance.  Vulnerabilities  could  be  tested  on  a  net¬ 
work  model  before  deploying  any  equipment. 

Tufin  SecureTrack 

With  SecureTrack  from  Tufin,  you  can  manage 
and  audit  firewalls,  routers  and  switches,  plus 


access  an  incorporated  view  of  firewalls  and 
other  devices  in  your  network.  SecureTrack 
supplies  automated  reporting  of  risk  and  audit 
status,  monitors  firewall  operating  systems 
and  supports  security  compliance  standards. 

We  secured  SecureTrack  on  a  VMware 
appliance.  Installation  was  quick,  with  no 
problem.  After  we  saved  the  settings,  the 
login  screen  appeared  and  we  could  access 
the  Tufin  SecureTrack  server. 

The  screen  has  icons  for  Policy  Change 
Reports,  Rule  Usage  Statistics,  Security  Risk 
Reports  and  Best  Practices  Audit.  Users  can 
choose  to  be  notified  immediately  of  policy 
changes  and  to  receive  weekly  reports. 

Optimization  and  cleanup  is  a  big  part  of 
SecureTrack’s  capabilities.  With  the  goal  of 
ensuring  the  rule  base  is  not  in  violation  of 
corporate  and  regulatory  compliance,  Secure¬ 
Track  continually  monitors  firewalls,  routers 
and  switches.  The  SecureTrack  Compare  fea¬ 
ture  lists  the  number  of  recent  revisions  next 
to  the  device  name.  New  revision  alerts  appear 
when  revisions  are  generated.  The  Revision 
List  can  be  filtered  based  on  10  attributes. 

We  used  SecureTrack  Analyzer  to  identify 
overlapping  and  redundant  rules.  To  access 
predefined  best  practice  policies  that  are  stored 
in  the  SecureTrack  database,  we  used  the  Audit 
and  Compliance  option.  There  are  best  practice 
checks  for  all  firewalls  and  specific  firewalls 
such  as  Check  Point.  SecureTrack  also  offers 
predefined  policy  analysis  audits  for  PCI-DSS 
compliance.  You  can  also  set  up  alerts  to  be  sent 
when  security  policy  rule  changes  are  made. 

We  found  the  browser  dashboard  to  be 
crisp  and  well  laid  out.  We  liked  the  Compare 
Analysis  option  for  comparing  firewall  revi¬ 
sions  and  maintaining  the  audit  trail. 

Custom  firewall  audits  were  created  with 
the  SecureTrack  Audit  wizard  for  detailed 
answers  on  compliance  policies.  An  impres¬ 
sive  list  of  predefined  audit  templates  can  be 
selected  with  a  wizard,  thereby  saving  time. 
There  is  also  a  predefined  PCI-DSS  audit 
analysis  feature  used  to  create  reports  for 
audit  policy  with  a  summary  detailing  the 
compliance  verification. 

We  liked  the  Security  Trend  analysis  reports 
with  charts,  graphs  and  a  summary  table  dis¬ 
playing  risk  scoring.  Tufin  does  not  base  the 
scores  on  the  CVSS  as  is  common  practice  with 
similar  products.  We  did  find  SecureTrack  to 
be  a  good  product  for  auditing  and  maintaining 
compliance  with  best  practices  based  on  indus¬ 
try  and  corporate  policies.  ■ 

Smithers  is  a  Network  World  Test  Alliance 
Partner  and  CEO  of  Miercom,  a  testing  lab 
and  network  consultancy.  He  can  be  reached 
at  rsmithers@miercom.com. 
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HiPerLink 

- Copper - 


■ 
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©Copyright  2010,  ICC. 


Data  Center  cabling  doesn't  have  to  be  messy. 

Try  ICC's  pre-terminated  solutions. 

•  Factory  assembled  in  Southern  California,  turn-around  2  weeks  or  less’ 

•  Factory  tested,  performance  results  included 

•  CAT  6  up  to  dB  NEXT  headroom 

•  Install  right  out  of  the  box,  modular  for  easy  MACs  later 

•  I  5  Year  Link  Performance  Warranty 

•  Cost  40%  less  than  most  name  brands,  even  less  than  on-site  cabling 
E-mail  us  or  give  us  a  call,  you  will  be  surprised  how  easy  it  is. 


mr$ 


icc.com/hiper: 

.,  tMitjjk ,  '*'/■(  ?ji, 

Bragg  $ kfmmk  * 

BtBWrare 

‘Upon  approval  of  specs  and  terms 


Data  Cabling  Made  Easy 
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WHILE  YOU  WERE  OUT 

3r:_  _ Time:  iMidJle  fe  ftfghtl. 


PROBLEM: 


SERVER  WENT  DOWN 

X 

POWER  FAILURE 

X 

WATER  ON  FLOOR 

X 

— 

TEMPERATURE  HIGH 

X 

Sensaphone  Remote  Monitoring  Products  use 
redundant  communication  paths,  built-in  battery 
backup,  and  supervised  sensors  to  make  sure  that 
when  something  happens  in  your  computer  room 
you...  GET  THE  MESSAGE. 

Notification  via: 

•  Voice  Phone  Call  •  E-Mail 

•  Text  Message  •  SNMP  Trap 

•  Pager  •  Fax 

Get  your  FREE  application  guide  now 


SENSAPHONE"  877-373-2700 

remote  monitoring  solutions  www.sensaphone.com 


MADE  IN  THI 


U! 


17-Outlet  Power  Strip 


SHOWS:  Volts,  Amps,  Watt,  VA, 
Frequency,  Power  Factor  &  KWH 


Network  Management  System 
RemoteiOutletvControl 


Manage  multiple  network 
devices  via  the  Internet 


purchase  directly  at 

A-Neutronics*  www.a-neutronics.com 

or  call  toll-free:  1  -877-263-8876 


Instantly  Search  Terabytes  of  Text 

♦  25+  full-text  and  fielded  data  search  options 

♦  Built-in  file  parsers  and  converters  highlight  hits  in  popular  file  types 

♦  Spider  supports  static  and  dynamic  web  data;  highlights  hits  with 
links,  formatting  and  images  intact 

♦  API  supports  C++,  .NET,  Java,  SQL,  etc.  .NET  Spider  API. 

Includes  64-bit  (Win/Linux) 

♦  Fully-functional  evaluations  available 

Content  extraction  only  licenses  also  available 

"Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a  single  index 
and  returns  results  in  less  than  a  second"  —  InfoWorld 

dtSearch  "covers  all  data  sources  ...  powerful  Web-based  engines" 

—  eWEEK 

"Lightning  fast ...  performance  was  unmatched  by  any  other  product" 

—  Redmond  Magazine 

For  hundreds  more  reviews,  and  hundreds  of  developer 
case  studies,  see  www.dtSearch.com 

1-800-IT-FINDS  •  www.dtSearch.com 

The  Smart  Choice  for  Text  Retrieval9  since  1991 
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Announcing  the  new,  interactive 
energy-saving  Smart-UPS  from  ARC. 


Configurable  interface: 

Set  up  and  control  key  UPS  parameters 
and  functions  using  the  intuitive  navigation 
keys.  On  rack/tower  convertible  models,  the 
display  rotates  90  degrees  for  easy  viewing 


Intuitive  alphanumeric  display: 

Get  detailed  UPS  and  power  quality 
information  at  a  glance  -  including  status, 
about,  and  diagnostic  log  menus  in  your 
choice  of  up  to  five  languages. 


Energy  savings: 

A  patent-pending  "green" 
mode  achieves  online  effi¬ 
ciencies  approaching  99  per¬ 
cent,  reducing  heat  loss  and 
utility  costs. 


If  you  want  Legendary  Reliability™ 
inside,  it  had  better  say  APC™  outside. 

What  do  you  get  when  you  combine  25  years  of  Legendary  Reliability  with  the 
latest  in  UPS  technology?  Introducing  the  new  APC  Smart-UPS™  range  of 
interactive,  intuitive,  and  energy-saving  UPSs,  designed  to  protect  critical  server 
and  network  equipment  from  power  threats  and  downtime. 

New  APC  Smart-UPS:  Smarter.  Easier.  Greener. 

Thanks  to  millions  of  dollars  in  research,  APC  can  proudly  claim  that  only  the 
new  Smart-UPS  features  the  unique  battery  life  expectancy  predictor,  telling  you 
the  exact  month  and  year  for  battery  replacement.  Precision  temperature-com¬ 
pensated  charging  extends  battery  life;  unique  power  meter  function  monitors 
energy  usage;  and  a  patent-pending  “green”  mode  boosts  online  efficiencies  up 
to  99  percent,  saving  on  utility  costs.  Plus,  the  interactive  LCD  provides  detailed 
status,  configuration,  and  diagnostic  information  previously  available  only  via 
software. 


Only  APC  offers  the  most  technologically  advanced, 
user-friendly  features,  and  the  guaranteed  reliability 
you  need  to  protect  your  critical  data  and  equipment 
Look  for  APC  on  the  outside  to  ensure 


When  dollars  count  and  performance  is  critical,  insist  on  the  more  intelligent, 
more  intuitive  APC  Smart-UPS.  Now  more  than  ever,  the  name  on  the  outside 
guarantees  reliability  on  the  inside:  APC  Smart-UPS. 


Legendary  Reliability  on  the  inside. 


Download  a  FREE  copy  of  APC  White  Paper  #10,  "Preventing 
Data  Corruption  in  the  Event  of  an  Extended  Power  Outage." 
Visit  www.apc.com/promo  Key  Code  t460w 
Call  888-289-APCC  x6198  •  Fax  401-788-2797 


A? C 

by  Schneider  Electric 


©2010  Schneider  Electric  Industries  SAS,  All  Rights  Reserved.  Schneider  Electric,  APC,  Smart-UPS,  and  Legendary  Reliability  are  owned  by  Schneider  Electnc,  or  its  affiliated  companies 
in  the  United  States  and  other  countries,  e-mail:  esupport@apc.oom  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  •  998-2158 
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SuperGoose  II 

Climate  Monitor 

*499 


Monitor 

•  Temperature  &  Humidity 

•  Air  Flow,  Light  &  Sound 

•  3  Analog  Inputs  1 

•  5  Digital  Sensor  Ports  1 

Alerts  with  Escalations 

•  E-mail,  SNMP  Traps 

•  Audible  Alarm  Buzzer 

Features 

^8uTlt-in  Web  Interface 

•  LCD  Display 

•  Optional  IP  Web  Cams 


To  order  your  copy,  visit 
iTWatchDogs.com/Book 


Server  Room 
Climate  &  Power 
Monitoring 


sales@itwatchdogs.com  •  512.257.1462  •  www.itwatchdogs.com 


Q:  Want  to  reach  170,000  readers? 
A:  Place  your  ad  here 


The  Marketplace  section  of 

NETWORKWORLD 


For  more  information  contact: 

Enku  Gubaie 
508.766.5487 
egubaie@idgenterprise.com 


Need  Cables? 


Leave  it  to  us!  Our  job  is  to  make  sure  the  cables  are 
there  when  you  need  them  and  exactly  the  way  you  want 
them  -  colors,  length,  labeling,  kitting,  packaging... 
you  name  it,  we  do  it,  with  guaranteed  performance. 
CATSe,  CAT6,  CAT6A,  UTR  FTP,  Fiber  OM3,  10G, 
and  more.  Talk  to  our  dedicated  account  reps  and  find 
out  how  we  helped  thousands  of  network  implementations. 


And  need  them  ‘yesterday”? 
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Waiting  for  change 


EVERYTHING  CHANGES  if  you  wait  long 
enough.  For  example,  did  you  know  that 
the  Internet  is  finished?  Yep,  the  artist  for¬ 
merly  known  as  Prince  (who  now  seems  to  be  known  as  Prince  again) 
declared  a  few  days  ago  that  “The  Internet’s  completely  over  ...  The 
Internet’s  like  MTV.  At  one  time  MTV  was  hip  and  suddenly  it  became 
outdated.”  Thanks  Prince,  good  to  know. 

Anyway,  here  in  Ventura,  Calif.,  we’re  waiting  for  the  weather  to 
change.  Sure,  we  normally  have  “June  gloom”  but  this  is  usually  fol¬ 
lowed  by  glorious,  sunny  weather  that  is,  dare  I  say  it,  exquisite.  How¬ 
ever  this  year,  April  was  sort  of  gloomy,  May  was  mostly  gloomy,  June 
was  gloomier  than  usual,  and  now  July  is  trying  to  out-do  June.  This  is 
ridiculous.  You  pay  heavily  to  live  in  California,  but  usually  with  such 
great  weather  you  feel  like  there’s  a  reason  for  the  expense.  This  year, 
we  all  deserve  a  tax  refund. 

And  talking  about  things  that  are  changing,  or,  at  least,  reputedly 
changing,  I  have  to  revisit  my  recent  rant  about  Sprint’s  customer  ser¬ 
vice,  or  rather  lack  thereof. 

In  that  column  I  addressed  my  criticisms  to  Sprint’s  CEO,  Dan  Hesse, 
pointing  out  that  Sprint  doesn’t  care  about  existing  customers.  Its 
pricing  for  a  replacement  phone  one  year  into  a  two-year  contract  was 
ridiculous  given  I  could  pay  the  early  termination  fee  and  go  to  another 
service  provider  and  get  a  better  phone  for  a  lot  less  money. 

As  I  discussed  a  couple  of  weeks  ago,  I  switched,  of  all  things,  to  a 
Sprint  service  reseller,  Credo,  and  am  quite  happy  and  much  better  off. 
Then  about  a  week  after  my  switch,  a  press  release  from  Sprint  landed 
on  my  virtual  doorstep. 


The  release  said,  with  an  air  of  smug  self-satisfaction,  that  Sprint  is 
changing:  “It’s  one  thing  to  grow  a  company  ground-up  on  a  commit¬ 
ment  to  deliver  an  outstanding  customer  experience  [could  that  be  a 
jibe  at  the  likes  of  Credo?].  It’s  quite  a  different  feat  to  introduce  the 
concept  to  a  multi-billion  dollar  enterprise.” 

It  continued:  “Sprint  is  changing  its  tune  —  externally  and  internally 
—  to  hold  onto  customers  in  an  industry  with  one  of  the  highest  churn 
rates.  Sprint ...  has  flipped  its  strategy  to  focus  on  a  singular  mission: 
improve  the  customer  experience.  “ 

Oh,  really?  I  ask  because  as  I  wrote  in  my  previous  column,  I  saw 
no  evidence  of  this  new,  improved  “tune”  when  I  was  talking  to  Sprint 
customer  service;  all  I  heard  was  the  same  old,  tired  dirge  that  scores  of 
readers  of  this  column  have  written  in  about.  That  dirge  has,  as  a  back¬ 
ing  track,  the  industry  standard  business-as-usual  hum  of  disinterest 
in  the  customer. 

The  Sprint  press  release  added,  “Gartner  will  announce  Sprint  as 
the  winner  of  its  CRM  Excellence  Award  in  the  ‘Customer  Experience’ 
category,”  from  which  I  conclude  that  all  cell  phone  service  providers 
stink  (which,  according  to  you,  dear  readers,  is  the  case).  Sprint  must 
therefore  stink  least. 

In  spite  of  my  snarky  disbelief  I’m  going  to  give  Sprint  the  benefit 
of  the  doubt  here  and  hope  it  can  live  up  to  its  press  release  hyperbole 
because  change  is  always  possible.  That  said,  I’m  betting  that  unlike 
waiting  for  better  weather  here  in  Ventura,  major  improvement  in 
Sprint’s  customer  service  could  be  much  longer  coming.  ■ 

Reach  Gibbs  in  Ventura,  Calif,  at  backspin@gibbs.com. 
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Taking  distracted  driving  to  the  next  level 


HEADED  WEST  on  the  Massachusetts 
Turnpike,  I  pass  a  car  being  operated  by  a 
young  woman  who  has  both  hands  firmly 
on  the  steering  wheel,  just  like  they  teach  when  you  get  your  license. 
Rather  than  the  classic  10  o’clock  and  2  o’clock  positioning,  however, 
hers  are  clamped  more  like  11:45  and  12:15,  or  the  optimum  setup  for 
thumb-texting  on  whatever  mobile  device  it  was  she  had  balanced  in 
between. . .  And  texting  she  was,  most  furiously. 

Dangerous  behavior,  yes,  but  barely  noteworthy  these  days  and  not 
what  made  me  do  the  triple-take. 

What  did?  That  would  be  her  left  foot.  Her  left  foot? 

You  heard  me,  her  left  foot,  which  instead  of  being  on  the  floorboard 
near  its  significant  other,  her  right  foot,  was  sticking  out  the  driver’s 
side  window  practically  begging  passersby  to  play  This  Little  Piggy. 
(“This  little  piggy  went  to  market ...  this  little  piggy  is  admiring  itself 
in  the  side-view  mirror ...”) 

Texting  like  a  madwoman,  toes  flapping  in  the  breeze,  tooling  on 
down  the  highway:  This  diva  was  not  only  the  embodiment  of  dis¬ 
tracted  driving,  but  a  genuine  trailblazer. 

Coincidentally,  Massachusetts  on  July  2  became  the  29  th  state  to  out¬ 
law  texting  while  driving,  although  clearly  the  prohibition  had  failed 
to  impress  Miss  Twinkle-Toes,  presuming  someone  had  bothered  to 
message  her  the  news.  And  my  guess  would  be  that  she  didn’t  notice 
my  head  shaking  as  I  passed  her  either. 

At  least  she  wasn’t  speeding. 

(Final  thought:  Yes,  it  has  occurred  to  me  that  I  didn’t  see  what 
I  think  I  saw;  that  this  scene  was  actually  a  variation  of  the  old  foot- 


sticking-out-of-the-trunk  gag.  Maybe.  But  the  young  lady  and  her  seat 
were  definitely  reclined,  as  if  to  facilitate  a  full-scale  left-foot  escape;  so 
if  it  was  a  gag  it  was  a  darn  good  one.) 

Wikipedia’s  million-dollar  faux  pas 

Hey,  look,  someone  donated  a  million  dollars  to  Wikipedia  —  anony¬ 
mously,  no  less. 

At  least  that  was  the  headline  on  Digg  and  we  could  all  see  it  was  true 
because  there  was  a  link  to  the  database  of  donors  and  a  screen  capture 
with  a  red  circle  around  the  amount  and  everything. 

A  million  smackaroos  from  a  benefactor  too  shy  to  accept  a  public 
thank-you?  Now  that’s  news,  so  I  fired  off  an  e-mail  to  Jay  Walsh,  Wiki¬ 
pedia’s  head  of  communication,  to  see  if  it  was  indeed  true  and  if  he 
could  tell  me  anything  at  all  about  the  bashful  donor.  Walsh’s  reply: 

“In  fact  it  turns  out  there  was  a  slight  glitch  in  how  that  donation  was 
reported  through  our  system.  The  amount  is  100%  correct,  but  the 
donation  should  have  been  attributed  to  the  Alfred  P.  Sloan  Foundation. 
We’ve  corrected  the  link.  This  is  the  third  part  of  a  three-year,  one  mil¬ 
lion  dollars  per  year  grant  that  was  announced  back  in  March,  2008. 

“Glad  the  Digg  folks  pointed  this  out,  and  we’re  now  tracking  the 
comment/donation  input  system  a  bit  more  carefully.” 

There  are  easy  wisecracks  to  be  made  here  about  Wikipedia  and 
accuracy.  Too  easy.  ■ 

Of  course,  rarely  does  a  week  go  by  without  someone  helpfully 
drawing  attention  to  an  error  of  my  own  doing.  The  address  is  buzz@ 
nww.com. 
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Cross-country  network 
Cross-town  support. 


Introducing  CenturyLink™  Business 

CenturyTel  and  EMBARQ  have  merged  — and  the  result  is 
CenturyLink,  delivering  top-tier  business  data  network 
solutions  to  customers  throughout  the  U.S.  You  can  count 
on  us  to  combine  a  state-of-the-art  national  network  with 
local  support  from  people  right  in  your  own  community. 


Partner  with  CenturyLink  and  make  sure  your  business  is 
Stronger  Connected™  — across  country  and  across  town. 


Learn  more  at  centurylink.com/stronger 
or  call  1-866-345-0814. 


■02010  CenturyTel,  Inc.  All  Rights  Reserved. 

The  name  CenturyLink  and  the  pathways  logo  are  trademarks  of  CenturyTel,  Inc. 
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HP  is  changing  networking. 

Gone  are  the  days  of  networks  that  are  hard  to 
manage,  vulnerable  to  attacks,  and  expensive  to 
maintain.  With  HP  game-changing  solutions, 
the  status  quo  is  history. 


The  New  Rules  of  Networking 

#1  Simplified  network  designs  that  are 
twice  as  secure1 

#2  Up  to  2x  better  performance  for 
greater  flexibility2 

#3  Up  to  65%  lower  cost  of  ownership3 

Put  the  new  rules  to  work  for  you. 
hp.com/ networking/ change 

Outcomes  that  matter. 
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